xref: /openbmc/qemu/ui/vnc.c (revision a10b9d93)
1 /*
2  * QEMU VNC display driver
3  *
4  * Copyright (C) 2006 Anthony Liguori <anthony@codemonkey.ws>
5  * Copyright (C) 2006 Fabrice Bellard
6  * Copyright (C) 2009 Red Hat, Inc
7  *
8  * Permission is hereby granted, free of charge, to any person obtaining a copy
9  * of this software and associated documentation files (the "Software"), to deal
10  * in the Software without restriction, including without limitation the rights
11  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
12  * copies of the Software, and to permit persons to whom the Software is
13  * furnished to do so, subject to the following conditions:
14  *
15  * The above copyright notice and this permission notice shall be included in
16  * all copies or substantial portions of the Software.
17  *
18  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
19  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
20  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
21  * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
22  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
23  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
24  * THE SOFTWARE.
25  */
26 
27 #include "qemu/osdep.h"
28 #include "vnc.h"
29 #include "vnc-jobs.h"
30 #include "trace.h"
31 #include "hw/qdev-core.h"
32 #include "sysemu/sysemu.h"
33 #include "sysemu/runstate.h"
34 #include "qemu/error-report.h"
35 #include "qemu/main-loop.h"
36 #include "qemu/module.h"
37 #include "qemu/option.h"
38 #include "qemu/sockets.h"
39 #include "qemu/timer.h"
40 #include "authz/list.h"
41 #include "qemu/config-file.h"
42 #include "qapi/qapi-emit-events.h"
43 #include "qapi/qapi-events-ui.h"
44 #include "qapi/error.h"
45 #include "qapi/qapi-commands-ui.h"
46 #include "ui/input.h"
47 #include "crypto/hash.h"
48 #include "crypto/tlscredsanon.h"
49 #include "crypto/tlscredsx509.h"
50 #include "crypto/random.h"
51 #include "qom/object_interfaces.h"
52 #include "qemu/cutils.h"
53 #include "io/dns-resolver.h"
54 
55 #define VNC_REFRESH_INTERVAL_BASE GUI_REFRESH_INTERVAL_DEFAULT
56 #define VNC_REFRESH_INTERVAL_INC  50
57 #define VNC_REFRESH_INTERVAL_MAX  GUI_REFRESH_INTERVAL_IDLE
58 static const struct timeval VNC_REFRESH_STATS = { 0, 500000 };
59 static const struct timeval VNC_REFRESH_LOSSY = { 2, 0 };
60 
61 #include "vnc_keysym.h"
62 #include "crypto/cipher.h"
63 
64 static QTAILQ_HEAD(, VncDisplay) vnc_displays =
65     QTAILQ_HEAD_INITIALIZER(vnc_displays);
66 
67 static int vnc_cursor_define(VncState *vs);
68 static void vnc_update_throttle_offset(VncState *vs);
69 
70 static void vnc_set_share_mode(VncState *vs, VncShareMode mode)
71 {
72 #ifdef _VNC_DEBUG
73     static const char *mn[] = {
74         [0]                           = "undefined",
75         [VNC_SHARE_MODE_CONNECTING]   = "connecting",
76         [VNC_SHARE_MODE_SHARED]       = "shared",
77         [VNC_SHARE_MODE_EXCLUSIVE]    = "exclusive",
78         [VNC_SHARE_MODE_DISCONNECTED] = "disconnected",
79     };
80     fprintf(stderr, "%s/%p: %s -> %s\n", __func__,
81             vs->ioc, mn[vs->share_mode], mn[mode]);
82 #endif
83 
84     switch (vs->share_mode) {
85     case VNC_SHARE_MODE_CONNECTING:
86         vs->vd->num_connecting--;
87         break;
88     case VNC_SHARE_MODE_SHARED:
89         vs->vd->num_shared--;
90         break;
91     case VNC_SHARE_MODE_EXCLUSIVE:
92         vs->vd->num_exclusive--;
93         break;
94     default:
95         break;
96     }
97 
98     vs->share_mode = mode;
99 
100     switch (vs->share_mode) {
101     case VNC_SHARE_MODE_CONNECTING:
102         vs->vd->num_connecting++;
103         break;
104     case VNC_SHARE_MODE_SHARED:
105         vs->vd->num_shared++;
106         break;
107     case VNC_SHARE_MODE_EXCLUSIVE:
108         vs->vd->num_exclusive++;
109         break;
110     default:
111         break;
112     }
113 }
114 
115 
116 static void vnc_init_basic_info(SocketAddress *addr,
117                                 VncBasicInfo *info,
118                                 Error **errp)
119 {
120     switch (addr->type) {
121     case SOCKET_ADDRESS_TYPE_INET:
122         info->host = g_strdup(addr->u.inet.host);
123         info->service = g_strdup(addr->u.inet.port);
124         if (addr->u.inet.ipv6) {
125             info->family = NETWORK_ADDRESS_FAMILY_IPV6;
126         } else {
127             info->family = NETWORK_ADDRESS_FAMILY_IPV4;
128         }
129         break;
130 
131     case SOCKET_ADDRESS_TYPE_UNIX:
132         info->host = g_strdup("");
133         info->service = g_strdup(addr->u.q_unix.path);
134         info->family = NETWORK_ADDRESS_FAMILY_UNIX;
135         break;
136 
137     case SOCKET_ADDRESS_TYPE_VSOCK:
138     case SOCKET_ADDRESS_TYPE_FD:
139         error_setg(errp, "Unsupported socket address type %s",
140                    SocketAddressType_str(addr->type));
141         break;
142     default:
143         abort();
144     }
145 
146     return;
147 }
148 
149 static void vnc_init_basic_info_from_server_addr(QIOChannelSocket *ioc,
150                                                  VncBasicInfo *info,
151                                                  Error **errp)
152 {
153     SocketAddress *addr = NULL;
154 
155     if (!ioc) {
156         error_setg(errp, "No listener socket available");
157         return;
158     }
159 
160     addr = qio_channel_socket_get_local_address(ioc, errp);
161     if (!addr) {
162         return;
163     }
164 
165     vnc_init_basic_info(addr, info, errp);
166     qapi_free_SocketAddress(addr);
167 }
168 
169 static void vnc_init_basic_info_from_remote_addr(QIOChannelSocket *ioc,
170                                                  VncBasicInfo *info,
171                                                  Error **errp)
172 {
173     SocketAddress *addr = NULL;
174 
175     addr = qio_channel_socket_get_remote_address(ioc, errp);
176     if (!addr) {
177         return;
178     }
179 
180     vnc_init_basic_info(addr, info, errp);
181     qapi_free_SocketAddress(addr);
182 }
183 
184 static const char *vnc_auth_name(VncDisplay *vd) {
185     switch (vd->auth) {
186     case VNC_AUTH_INVALID:
187         return "invalid";
188     case VNC_AUTH_NONE:
189         return "none";
190     case VNC_AUTH_VNC:
191         return "vnc";
192     case VNC_AUTH_RA2:
193         return "ra2";
194     case VNC_AUTH_RA2NE:
195         return "ra2ne";
196     case VNC_AUTH_TIGHT:
197         return "tight";
198     case VNC_AUTH_ULTRA:
199         return "ultra";
200     case VNC_AUTH_TLS:
201         return "tls";
202     case VNC_AUTH_VENCRYPT:
203         switch (vd->subauth) {
204         case VNC_AUTH_VENCRYPT_PLAIN:
205             return "vencrypt+plain";
206         case VNC_AUTH_VENCRYPT_TLSNONE:
207             return "vencrypt+tls+none";
208         case VNC_AUTH_VENCRYPT_TLSVNC:
209             return "vencrypt+tls+vnc";
210         case VNC_AUTH_VENCRYPT_TLSPLAIN:
211             return "vencrypt+tls+plain";
212         case VNC_AUTH_VENCRYPT_X509NONE:
213             return "vencrypt+x509+none";
214         case VNC_AUTH_VENCRYPT_X509VNC:
215             return "vencrypt+x509+vnc";
216         case VNC_AUTH_VENCRYPT_X509PLAIN:
217             return "vencrypt+x509+plain";
218         case VNC_AUTH_VENCRYPT_TLSSASL:
219             return "vencrypt+tls+sasl";
220         case VNC_AUTH_VENCRYPT_X509SASL:
221             return "vencrypt+x509+sasl";
222         default:
223             return "vencrypt";
224         }
225     case VNC_AUTH_SASL:
226         return "sasl";
227     }
228     return "unknown";
229 }
230 
231 static VncServerInfo *vnc_server_info_get(VncDisplay *vd)
232 {
233     VncServerInfo *info;
234     Error *err = NULL;
235 
236     if (!vd->listener || !vd->listener->nsioc) {
237         return NULL;
238     }
239 
240     info = g_malloc0(sizeof(*info));
241     vnc_init_basic_info_from_server_addr(vd->listener->sioc[0],
242                                          qapi_VncServerInfo_base(info), &err);
243     info->has_auth = true;
244     info->auth = g_strdup(vnc_auth_name(vd));
245     if (err) {
246         qapi_free_VncServerInfo(info);
247         info = NULL;
248         error_free(err);
249     }
250     return info;
251 }
252 
253 static void vnc_client_cache_auth(VncState *client)
254 {
255     if (!client->info) {
256         return;
257     }
258 
259     if (client->tls) {
260         client->info->x509_dname =
261             qcrypto_tls_session_get_peer_name(client->tls);
262         client->info->has_x509_dname =
263             client->info->x509_dname != NULL;
264     }
265 #ifdef CONFIG_VNC_SASL
266     if (client->sasl.conn &&
267         client->sasl.username) {
268         client->info->has_sasl_username = true;
269         client->info->sasl_username = g_strdup(client->sasl.username);
270     }
271 #endif
272 }
273 
274 static void vnc_client_cache_addr(VncState *client)
275 {
276     Error *err = NULL;
277 
278     client->info = g_malloc0(sizeof(*client->info));
279     vnc_init_basic_info_from_remote_addr(client->sioc,
280                                          qapi_VncClientInfo_base(client->info),
281                                          &err);
282     client->info->websocket = client->websocket;
283     if (err) {
284         qapi_free_VncClientInfo(client->info);
285         client->info = NULL;
286         error_free(err);
287     }
288 }
289 
290 static void vnc_qmp_event(VncState *vs, QAPIEvent event)
291 {
292     VncServerInfo *si;
293 
294     if (!vs->info) {
295         return;
296     }
297 
298     si = vnc_server_info_get(vs->vd);
299     if (!si) {
300         return;
301     }
302 
303     switch (event) {
304     case QAPI_EVENT_VNC_CONNECTED:
305         qapi_event_send_vnc_connected(si, qapi_VncClientInfo_base(vs->info));
306         break;
307     case QAPI_EVENT_VNC_INITIALIZED:
308         qapi_event_send_vnc_initialized(si, vs->info);
309         break;
310     case QAPI_EVENT_VNC_DISCONNECTED:
311         qapi_event_send_vnc_disconnected(si, vs->info);
312         break;
313     default:
314         break;
315     }
316 
317     qapi_free_VncServerInfo(si);
318 }
319 
320 static VncClientInfo *qmp_query_vnc_client(const VncState *client)
321 {
322     VncClientInfo *info;
323     Error *err = NULL;
324 
325     info = g_malloc0(sizeof(*info));
326 
327     vnc_init_basic_info_from_remote_addr(client->sioc,
328                                          qapi_VncClientInfo_base(info),
329                                          &err);
330     if (err) {
331         error_free(err);
332         qapi_free_VncClientInfo(info);
333         return NULL;
334     }
335 
336     info->websocket = client->websocket;
337 
338     if (client->tls) {
339         info->x509_dname = qcrypto_tls_session_get_peer_name(client->tls);
340         info->has_x509_dname = info->x509_dname != NULL;
341     }
342 #ifdef CONFIG_VNC_SASL
343     if (client->sasl.conn && client->sasl.username) {
344         info->has_sasl_username = true;
345         info->sasl_username = g_strdup(client->sasl.username);
346     }
347 #endif
348 
349     return info;
350 }
351 
352 static VncDisplay *vnc_display_find(const char *id)
353 {
354     VncDisplay *vd;
355 
356     if (id == NULL) {
357         return QTAILQ_FIRST(&vnc_displays);
358     }
359     QTAILQ_FOREACH(vd, &vnc_displays, next) {
360         if (strcmp(id, vd->id) == 0) {
361             return vd;
362         }
363     }
364     return NULL;
365 }
366 
367 static VncClientInfoList *qmp_query_client_list(VncDisplay *vd)
368 {
369     VncClientInfoList *prev = NULL;
370     VncState *client;
371 
372     QTAILQ_FOREACH(client, &vd->clients, next) {
373         QAPI_LIST_PREPEND(prev, qmp_query_vnc_client(client));
374     }
375     return prev;
376 }
377 
378 VncInfo *qmp_query_vnc(Error **errp)
379 {
380     VncInfo *info = g_malloc0(sizeof(*info));
381     VncDisplay *vd = vnc_display_find(NULL);
382     SocketAddress *addr = NULL;
383 
384     if (vd == NULL || !vd->listener || !vd->listener->nsioc) {
385         info->enabled = false;
386     } else {
387         info->enabled = true;
388 
389         /* for compatibility with the original command */
390         info->has_clients = true;
391         info->clients = qmp_query_client_list(vd);
392 
393         addr = qio_channel_socket_get_local_address(vd->listener->sioc[0],
394                                                     errp);
395         if (!addr) {
396             goto out_error;
397         }
398 
399         switch (addr->type) {
400         case SOCKET_ADDRESS_TYPE_INET:
401             info->host = g_strdup(addr->u.inet.host);
402             info->service = g_strdup(addr->u.inet.port);
403             if (addr->u.inet.ipv6) {
404                 info->family = NETWORK_ADDRESS_FAMILY_IPV6;
405             } else {
406                 info->family = NETWORK_ADDRESS_FAMILY_IPV4;
407             }
408             break;
409 
410         case SOCKET_ADDRESS_TYPE_UNIX:
411             info->host = g_strdup("");
412             info->service = g_strdup(addr->u.q_unix.path);
413             info->family = NETWORK_ADDRESS_FAMILY_UNIX;
414             break;
415 
416         case SOCKET_ADDRESS_TYPE_VSOCK:
417         case SOCKET_ADDRESS_TYPE_FD:
418             error_setg(errp, "Unsupported socket address type %s",
419                        SocketAddressType_str(addr->type));
420             goto out_error;
421         default:
422             abort();
423         }
424 
425         info->has_host = true;
426         info->has_service = true;
427         info->has_family = true;
428 
429         info->has_auth = true;
430         info->auth = g_strdup(vnc_auth_name(vd));
431     }
432 
433     qapi_free_SocketAddress(addr);
434     return info;
435 
436 out_error:
437     qapi_free_SocketAddress(addr);
438     qapi_free_VncInfo(info);
439     return NULL;
440 }
441 
442 
443 static void qmp_query_auth(int auth, int subauth,
444                            VncPrimaryAuth *qmp_auth,
445                            VncVencryptSubAuth *qmp_vencrypt,
446                            bool *qmp_has_vencrypt);
447 
448 static VncServerInfo2List *qmp_query_server_entry(QIOChannelSocket *ioc,
449                                                   bool websocket,
450                                                   int auth,
451                                                   int subauth,
452                                                   VncServerInfo2List *prev)
453 {
454     VncServerInfo2 *info;
455     Error *err = NULL;
456     SocketAddress *addr;
457 
458     addr = qio_channel_socket_get_local_address(ioc, NULL);
459     if (!addr) {
460         return prev;
461     }
462 
463     info = g_new0(VncServerInfo2, 1);
464     vnc_init_basic_info(addr, qapi_VncServerInfo2_base(info), &err);
465     qapi_free_SocketAddress(addr);
466     if (err) {
467         qapi_free_VncServerInfo2(info);
468         error_free(err);
469         return prev;
470     }
471     info->websocket = websocket;
472 
473     qmp_query_auth(auth, subauth, &info->auth,
474                    &info->vencrypt, &info->has_vencrypt);
475 
476     QAPI_LIST_PREPEND(prev, info);
477     return prev;
478 }
479 
480 static void qmp_query_auth(int auth, int subauth,
481                            VncPrimaryAuth *qmp_auth,
482                            VncVencryptSubAuth *qmp_vencrypt,
483                            bool *qmp_has_vencrypt)
484 {
485     switch (auth) {
486     case VNC_AUTH_VNC:
487         *qmp_auth = VNC_PRIMARY_AUTH_VNC;
488         break;
489     case VNC_AUTH_RA2:
490         *qmp_auth = VNC_PRIMARY_AUTH_RA2;
491         break;
492     case VNC_AUTH_RA2NE:
493         *qmp_auth = VNC_PRIMARY_AUTH_RA2NE;
494         break;
495     case VNC_AUTH_TIGHT:
496         *qmp_auth = VNC_PRIMARY_AUTH_TIGHT;
497         break;
498     case VNC_AUTH_ULTRA:
499         *qmp_auth = VNC_PRIMARY_AUTH_ULTRA;
500         break;
501     case VNC_AUTH_TLS:
502         *qmp_auth = VNC_PRIMARY_AUTH_TLS;
503         break;
504     case VNC_AUTH_VENCRYPT:
505         *qmp_auth = VNC_PRIMARY_AUTH_VENCRYPT;
506         *qmp_has_vencrypt = true;
507         switch (subauth) {
508         case VNC_AUTH_VENCRYPT_PLAIN:
509             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_PLAIN;
510             break;
511         case VNC_AUTH_VENCRYPT_TLSNONE:
512             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_NONE;
513             break;
514         case VNC_AUTH_VENCRYPT_TLSVNC:
515             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_VNC;
516             break;
517         case VNC_AUTH_VENCRYPT_TLSPLAIN:
518             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_PLAIN;
519             break;
520         case VNC_AUTH_VENCRYPT_X509NONE:
521             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_NONE;
522             break;
523         case VNC_AUTH_VENCRYPT_X509VNC:
524             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_VNC;
525             break;
526         case VNC_AUTH_VENCRYPT_X509PLAIN:
527             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_PLAIN;
528             break;
529         case VNC_AUTH_VENCRYPT_TLSSASL:
530             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_SASL;
531             break;
532         case VNC_AUTH_VENCRYPT_X509SASL:
533             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_SASL;
534             break;
535         default:
536             *qmp_has_vencrypt = false;
537             break;
538         }
539         break;
540     case VNC_AUTH_SASL:
541         *qmp_auth = VNC_PRIMARY_AUTH_SASL;
542         break;
543     case VNC_AUTH_NONE:
544     default:
545         *qmp_auth = VNC_PRIMARY_AUTH_NONE;
546         break;
547     }
548 }
549 
550 VncInfo2List *qmp_query_vnc_servers(Error **errp)
551 {
552     VncInfo2List *prev = NULL;
553     VncInfo2 *info;
554     VncDisplay *vd;
555     DeviceState *dev;
556     size_t i;
557 
558     QTAILQ_FOREACH(vd, &vnc_displays, next) {
559         info = g_new0(VncInfo2, 1);
560         info->id = g_strdup(vd->id);
561         info->clients = qmp_query_client_list(vd);
562         qmp_query_auth(vd->auth, vd->subauth, &info->auth,
563                        &info->vencrypt, &info->has_vencrypt);
564         if (vd->dcl.con) {
565             dev = DEVICE(object_property_get_link(OBJECT(vd->dcl.con),
566                                                   "device", &error_abort));
567             info->has_display = true;
568             info->display = g_strdup(dev->id);
569         }
570         for (i = 0; vd->listener != NULL && i < vd->listener->nsioc; i++) {
571             info->server = qmp_query_server_entry(
572                 vd->listener->sioc[i], false, vd->auth, vd->subauth,
573                 info->server);
574         }
575         for (i = 0; vd->wslistener != NULL && i < vd->wslistener->nsioc; i++) {
576             info->server = qmp_query_server_entry(
577                 vd->wslistener->sioc[i], true, vd->ws_auth,
578                 vd->ws_subauth, info->server);
579         }
580 
581         QAPI_LIST_PREPEND(prev, info);
582     }
583     return prev;
584 }
585 
586 /* TODO
587    1) Get the queue working for IO.
588    2) there is some weirdness when using the -S option (the screen is grey
589       and not totally invalidated
590    3) resolutions > 1024
591 */
592 
593 static int vnc_update_client(VncState *vs, int has_dirty);
594 static void vnc_disconnect_start(VncState *vs);
595 
596 static void vnc_colordepth(VncState *vs);
597 static void framebuffer_update_request(VncState *vs, int incremental,
598                                        int x_position, int y_position,
599                                        int w, int h);
600 static void vnc_refresh(DisplayChangeListener *dcl);
601 static int vnc_refresh_server_surface(VncDisplay *vd);
602 
603 static int vnc_width(VncDisplay *vd)
604 {
605     return MIN(VNC_MAX_WIDTH, ROUND_UP(surface_width(vd->ds),
606                                        VNC_DIRTY_PIXELS_PER_BIT));
607 }
608 
609 static int vnc_height(VncDisplay *vd)
610 {
611     return MIN(VNC_MAX_HEIGHT, surface_height(vd->ds));
612 }
613 
614 static void vnc_set_area_dirty(DECLARE_BITMAP(dirty[VNC_MAX_HEIGHT],
615                                VNC_MAX_WIDTH / VNC_DIRTY_PIXELS_PER_BIT),
616                                VncDisplay *vd,
617                                int x, int y, int w, int h)
618 {
619     int width = vnc_width(vd);
620     int height = vnc_height(vd);
621 
622     /* this is needed this to ensure we updated all affected
623      * blocks if x % VNC_DIRTY_PIXELS_PER_BIT != 0 */
624     w += (x % VNC_DIRTY_PIXELS_PER_BIT);
625     x -= (x % VNC_DIRTY_PIXELS_PER_BIT);
626 
627     x = MIN(x, width);
628     y = MIN(y, height);
629     w = MIN(x + w, width) - x;
630     h = MIN(y + h, height);
631 
632     for (; y < h; y++) {
633         bitmap_set(dirty[y], x / VNC_DIRTY_PIXELS_PER_BIT,
634                    DIV_ROUND_UP(w, VNC_DIRTY_PIXELS_PER_BIT));
635     }
636 }
637 
638 static void vnc_dpy_update(DisplayChangeListener *dcl,
639                            int x, int y, int w, int h)
640 {
641     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
642     struct VncSurface *s = &vd->guest;
643 
644     vnc_set_area_dirty(s->dirty, vd, x, y, w, h);
645 }
646 
647 void vnc_framebuffer_update(VncState *vs, int x, int y, int w, int h,
648                             int32_t encoding)
649 {
650     vnc_write_u16(vs, x);
651     vnc_write_u16(vs, y);
652     vnc_write_u16(vs, w);
653     vnc_write_u16(vs, h);
654 
655     vnc_write_s32(vs, encoding);
656 }
657 
658 static void vnc_desktop_resize_ext(VncState *vs, int reject_reason)
659 {
660     vnc_lock_output(vs);
661     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
662     vnc_write_u8(vs, 0);
663     vnc_write_u16(vs, 1); /* number of rects */
664     vnc_framebuffer_update(vs,
665                            reject_reason ? 1 : 0,
666                            reject_reason,
667                            vs->client_width, vs->client_height,
668                            VNC_ENCODING_DESKTOP_RESIZE_EXT);
669     vnc_write_u8(vs, 1);  /* number of screens */
670     vnc_write_u8(vs, 0);  /* padding */
671     vnc_write_u8(vs, 0);  /* padding */
672     vnc_write_u8(vs, 0);  /* padding */
673     vnc_write_u32(vs, 0); /* screen id */
674     vnc_write_u16(vs, 0); /* screen x-pos */
675     vnc_write_u16(vs, 0); /* screen y-pos */
676     vnc_write_u16(vs, vs->client_width);
677     vnc_write_u16(vs, vs->client_height);
678     vnc_write_u32(vs, 0); /* screen flags */
679     vnc_unlock_output(vs);
680     vnc_flush(vs);
681 }
682 
683 static void vnc_desktop_resize(VncState *vs)
684 {
685     if (vs->ioc == NULL || (!vnc_has_feature(vs, VNC_FEATURE_RESIZE) &&
686                             !vnc_has_feature(vs, VNC_FEATURE_RESIZE_EXT))) {
687         return;
688     }
689 
690     assert(pixman_image_get_width(vs->vd->server) < 65536 &&
691            pixman_image_get_width(vs->vd->server) >= 0);
692     assert(pixman_image_get_height(vs->vd->server) < 65536 &&
693            pixman_image_get_height(vs->vd->server) >= 0);
694     vs->client_width = pixman_image_get_width(vs->vd->server);
695     vs->client_height = pixman_image_get_height(vs->vd->server);
696 
697     if (vnc_has_feature(vs, VNC_FEATURE_RESIZE_EXT)) {
698         vnc_desktop_resize_ext(vs, 0);
699         return;
700     }
701 
702     vnc_lock_output(vs);
703     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
704     vnc_write_u8(vs, 0);
705     vnc_write_u16(vs, 1); /* number of rects */
706     vnc_framebuffer_update(vs, 0, 0, vs->client_width, vs->client_height,
707                            VNC_ENCODING_DESKTOPRESIZE);
708     vnc_unlock_output(vs);
709     vnc_flush(vs);
710 }
711 
712 static void vnc_abort_display_jobs(VncDisplay *vd)
713 {
714     VncState *vs;
715 
716     QTAILQ_FOREACH(vs, &vd->clients, next) {
717         vnc_lock_output(vs);
718         vs->abort = true;
719         vnc_unlock_output(vs);
720     }
721     QTAILQ_FOREACH(vs, &vd->clients, next) {
722         vnc_jobs_join(vs);
723     }
724     QTAILQ_FOREACH(vs, &vd->clients, next) {
725         vnc_lock_output(vs);
726         if (vs->update == VNC_STATE_UPDATE_NONE &&
727             vs->job_update != VNC_STATE_UPDATE_NONE) {
728             /* job aborted before completion */
729             vs->update = vs->job_update;
730             vs->job_update = VNC_STATE_UPDATE_NONE;
731         }
732         vs->abort = false;
733         vnc_unlock_output(vs);
734     }
735 }
736 
737 int vnc_server_fb_stride(VncDisplay *vd)
738 {
739     return pixman_image_get_stride(vd->server);
740 }
741 
742 void *vnc_server_fb_ptr(VncDisplay *vd, int x, int y)
743 {
744     uint8_t *ptr;
745 
746     ptr  = (uint8_t *)pixman_image_get_data(vd->server);
747     ptr += y * vnc_server_fb_stride(vd);
748     ptr += x * VNC_SERVER_FB_BYTES;
749     return ptr;
750 }
751 
752 static void vnc_update_server_surface(VncDisplay *vd)
753 {
754     int width, height;
755 
756     qemu_pixman_image_unref(vd->server);
757     vd->server = NULL;
758 
759     if (QTAILQ_EMPTY(&vd->clients)) {
760         return;
761     }
762 
763     width = vnc_width(vd);
764     height = vnc_height(vd);
765     vd->server = pixman_image_create_bits(VNC_SERVER_FB_FORMAT,
766                                           width, height,
767                                           NULL, 0);
768 
769     memset(vd->guest.dirty, 0x00, sizeof(vd->guest.dirty));
770     vnc_set_area_dirty(vd->guest.dirty, vd, 0, 0,
771                        width, height);
772 }
773 
774 static bool vnc_check_pageflip(DisplaySurface *s1,
775                                DisplaySurface *s2)
776 {
777     return (s1 != NULL &&
778             s2 != NULL &&
779             surface_width(s1) == surface_width(s2) &&
780             surface_height(s1) == surface_height(s2) &&
781             surface_format(s1) == surface_format(s2));
782 
783 }
784 
785 static void vnc_dpy_switch(DisplayChangeListener *dcl,
786                            DisplaySurface *surface)
787 {
788     static const char placeholder_msg[] =
789         "Display output is not active.";
790     static DisplaySurface *placeholder;
791     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
792     bool pageflip = vnc_check_pageflip(vd->ds, surface);
793     VncState *vs;
794 
795     if (surface == NULL) {
796         if (placeholder == NULL) {
797             placeholder = qemu_create_message_surface(640, 480, placeholder_msg);
798         }
799         surface = placeholder;
800     }
801 
802     vnc_abort_display_jobs(vd);
803     vd->ds = surface;
804 
805     /* guest surface */
806     qemu_pixman_image_unref(vd->guest.fb);
807     vd->guest.fb = pixman_image_ref(surface->image);
808     vd->guest.format = surface->format;
809 
810     if (pageflip) {
811         vnc_set_area_dirty(vd->guest.dirty, vd, 0, 0,
812                            surface_width(surface),
813                            surface_height(surface));
814         return;
815     }
816 
817     /* server surface */
818     vnc_update_server_surface(vd);
819 
820     QTAILQ_FOREACH(vs, &vd->clients, next) {
821         vnc_colordepth(vs);
822         vnc_desktop_resize(vs);
823         vnc_cursor_define(vs);
824         memset(vs->dirty, 0x00, sizeof(vs->dirty));
825         vnc_set_area_dirty(vs->dirty, vd, 0, 0,
826                            vnc_width(vd),
827                            vnc_height(vd));
828         vnc_update_throttle_offset(vs);
829     }
830 }
831 
832 /* fastest code */
833 static void vnc_write_pixels_copy(VncState *vs,
834                                   void *pixels, int size)
835 {
836     vnc_write(vs, pixels, size);
837 }
838 
839 /* slowest but generic code. */
840 void vnc_convert_pixel(VncState *vs, uint8_t *buf, uint32_t v)
841 {
842     uint8_t r, g, b;
843 
844 #if VNC_SERVER_FB_FORMAT == PIXMAN_FORMAT(32, PIXMAN_TYPE_ARGB, 0, 8, 8, 8)
845     r = (((v & 0x00ff0000) >> 16) << vs->client_pf.rbits) >> 8;
846     g = (((v & 0x0000ff00) >>  8) << vs->client_pf.gbits) >> 8;
847     b = (((v & 0x000000ff) >>  0) << vs->client_pf.bbits) >> 8;
848 #else
849 # error need some bits here if you change VNC_SERVER_FB_FORMAT
850 #endif
851     v = (r << vs->client_pf.rshift) |
852         (g << vs->client_pf.gshift) |
853         (b << vs->client_pf.bshift);
854     switch (vs->client_pf.bytes_per_pixel) {
855     case 1:
856         buf[0] = v;
857         break;
858     case 2:
859         if (vs->client_be) {
860             buf[0] = v >> 8;
861             buf[1] = v;
862         } else {
863             buf[1] = v >> 8;
864             buf[0] = v;
865         }
866         break;
867     default:
868     case 4:
869         if (vs->client_be) {
870             buf[0] = v >> 24;
871             buf[1] = v >> 16;
872             buf[2] = v >> 8;
873             buf[3] = v;
874         } else {
875             buf[3] = v >> 24;
876             buf[2] = v >> 16;
877             buf[1] = v >> 8;
878             buf[0] = v;
879         }
880         break;
881     }
882 }
883 
884 static void vnc_write_pixels_generic(VncState *vs,
885                                      void *pixels1, int size)
886 {
887     uint8_t buf[4];
888 
889     if (VNC_SERVER_FB_BYTES == 4) {
890         uint32_t *pixels = pixels1;
891         int n, i;
892         n = size >> 2;
893         for (i = 0; i < n; i++) {
894             vnc_convert_pixel(vs, buf, pixels[i]);
895             vnc_write(vs, buf, vs->client_pf.bytes_per_pixel);
896         }
897     }
898 }
899 
900 int vnc_raw_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
901 {
902     int i;
903     uint8_t *row;
904     VncDisplay *vd = vs->vd;
905 
906     row = vnc_server_fb_ptr(vd, x, y);
907     for (i = 0; i < h; i++) {
908         vs->write_pixels(vs, row, w * VNC_SERVER_FB_BYTES);
909         row += vnc_server_fb_stride(vd);
910     }
911     return 1;
912 }
913 
914 int vnc_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
915 {
916     int n = 0;
917 
918     switch(vs->vnc_encoding) {
919         case VNC_ENCODING_ZLIB:
920             n = vnc_zlib_send_framebuffer_update(vs, x, y, w, h);
921             break;
922         case VNC_ENCODING_HEXTILE:
923             vnc_framebuffer_update(vs, x, y, w, h, VNC_ENCODING_HEXTILE);
924             n = vnc_hextile_send_framebuffer_update(vs, x, y, w, h);
925             break;
926         case VNC_ENCODING_TIGHT:
927             n = vnc_tight_send_framebuffer_update(vs, x, y, w, h);
928             break;
929         case VNC_ENCODING_TIGHT_PNG:
930             n = vnc_tight_png_send_framebuffer_update(vs, x, y, w, h);
931             break;
932         case VNC_ENCODING_ZRLE:
933             n = vnc_zrle_send_framebuffer_update(vs, x, y, w, h);
934             break;
935         case VNC_ENCODING_ZYWRLE:
936             n = vnc_zywrle_send_framebuffer_update(vs, x, y, w, h);
937             break;
938         default:
939             vnc_framebuffer_update(vs, x, y, w, h, VNC_ENCODING_RAW);
940             n = vnc_raw_send_framebuffer_update(vs, x, y, w, h);
941             break;
942     }
943     return n;
944 }
945 
946 static void vnc_mouse_set(DisplayChangeListener *dcl,
947                           int x, int y, int visible)
948 {
949     /* can we ask the client(s) to move the pointer ??? */
950 }
951 
952 static int vnc_cursor_define(VncState *vs)
953 {
954     QEMUCursor *c = vs->vd->cursor;
955     int isize;
956 
957     if (!vs->vd->cursor) {
958         return -1;
959     }
960 
961     if (vnc_has_feature(vs, VNC_FEATURE_ALPHA_CURSOR)) {
962         vnc_lock_output(vs);
963         vnc_write_u8(vs,  VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
964         vnc_write_u8(vs,  0);  /*  padding     */
965         vnc_write_u16(vs, 1);  /*  # of rects  */
966         vnc_framebuffer_update(vs, c->hot_x, c->hot_y, c->width, c->height,
967                                VNC_ENCODING_ALPHA_CURSOR);
968         vnc_write_s32(vs, VNC_ENCODING_RAW);
969         vnc_write(vs, c->data, c->width * c->height * 4);
970         vnc_unlock_output(vs);
971         return 0;
972     }
973     if (vnc_has_feature(vs, VNC_FEATURE_RICH_CURSOR)) {
974         vnc_lock_output(vs);
975         vnc_write_u8(vs,  VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
976         vnc_write_u8(vs,  0);  /*  padding     */
977         vnc_write_u16(vs, 1);  /*  # of rects  */
978         vnc_framebuffer_update(vs, c->hot_x, c->hot_y, c->width, c->height,
979                                VNC_ENCODING_RICH_CURSOR);
980         isize = c->width * c->height * vs->client_pf.bytes_per_pixel;
981         vnc_write_pixels_generic(vs, c->data, isize);
982         vnc_write(vs, vs->vd->cursor_mask, vs->vd->cursor_msize);
983         vnc_unlock_output(vs);
984         return 0;
985     }
986     return -1;
987 }
988 
989 static void vnc_dpy_cursor_define(DisplayChangeListener *dcl,
990                                   QEMUCursor *c)
991 {
992     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
993     VncState *vs;
994 
995     cursor_put(vd->cursor);
996     g_free(vd->cursor_mask);
997 
998     vd->cursor = c;
999     cursor_get(vd->cursor);
1000     vd->cursor_msize = cursor_get_mono_bpl(c) * c->height;
1001     vd->cursor_mask = g_malloc0(vd->cursor_msize);
1002     cursor_get_mono_mask(c, 0, vd->cursor_mask);
1003 
1004     QTAILQ_FOREACH(vs, &vd->clients, next) {
1005         vnc_cursor_define(vs);
1006     }
1007 }
1008 
1009 static int find_and_clear_dirty_height(VncState *vs,
1010                                        int y, int last_x, int x, int height)
1011 {
1012     int h;
1013 
1014     for (h = 1; h < (height - y); h++) {
1015         if (!test_bit(last_x, vs->dirty[y + h])) {
1016             break;
1017         }
1018         bitmap_clear(vs->dirty[y + h], last_x, x - last_x);
1019     }
1020 
1021     return h;
1022 }
1023 
1024 /*
1025  * Figure out how much pending data we should allow in the output
1026  * buffer before we throttle incremental display updates, and/or
1027  * drop audio samples.
1028  *
1029  * We allow for equiv of 1 full display's worth of FB updates,
1030  * and 1 second of audio samples. If audio backlog was larger
1031  * than that the client would already suffering awful audio
1032  * glitches, so dropping samples is no worse really).
1033  */
1034 static void vnc_update_throttle_offset(VncState *vs)
1035 {
1036     size_t offset =
1037         vs->client_width * vs->client_height * vs->client_pf.bytes_per_pixel;
1038 
1039     if (vs->audio_cap) {
1040         int bps;
1041         switch (vs->as.fmt) {
1042         default:
1043         case  AUDIO_FORMAT_U8:
1044         case  AUDIO_FORMAT_S8:
1045             bps = 1;
1046             break;
1047         case  AUDIO_FORMAT_U16:
1048         case  AUDIO_FORMAT_S16:
1049             bps = 2;
1050             break;
1051         case  AUDIO_FORMAT_U32:
1052         case  AUDIO_FORMAT_S32:
1053             bps = 4;
1054             break;
1055         }
1056         offset += vs->as.freq * bps * vs->as.nchannels;
1057     }
1058 
1059     /* Put a floor of 1MB on offset, so that if we have a large pending
1060      * buffer and the display is resized to a small size & back again
1061      * we don't suddenly apply a tiny send limit
1062      */
1063     offset = MAX(offset, 1024 * 1024);
1064 
1065     if (vs->throttle_output_offset != offset) {
1066         trace_vnc_client_throttle_threshold(
1067             vs, vs->ioc, vs->throttle_output_offset, offset, vs->client_width,
1068             vs->client_height, vs->client_pf.bytes_per_pixel, vs->audio_cap);
1069     }
1070 
1071     vs->throttle_output_offset = offset;
1072 }
1073 
1074 static bool vnc_should_update(VncState *vs)
1075 {
1076     switch (vs->update) {
1077     case VNC_STATE_UPDATE_NONE:
1078         break;
1079     case VNC_STATE_UPDATE_INCREMENTAL:
1080         /* Only allow incremental updates if the pending send queue
1081          * is less than the permitted threshold, and the job worker
1082          * is completely idle.
1083          */
1084         if (vs->output.offset < vs->throttle_output_offset &&
1085             vs->job_update == VNC_STATE_UPDATE_NONE) {
1086             return true;
1087         }
1088         trace_vnc_client_throttle_incremental(
1089             vs, vs->ioc, vs->job_update, vs->output.offset);
1090         break;
1091     case VNC_STATE_UPDATE_FORCE:
1092         /* Only allow forced updates if the pending send queue
1093          * does not contain a previous forced update, and the
1094          * job worker is completely idle.
1095          *
1096          * Note this means we'll queue a forced update, even if
1097          * the output buffer size is otherwise over the throttle
1098          * output limit.
1099          */
1100         if (vs->force_update_offset == 0 &&
1101             vs->job_update == VNC_STATE_UPDATE_NONE) {
1102             return true;
1103         }
1104         trace_vnc_client_throttle_forced(
1105             vs, vs->ioc, vs->job_update, vs->force_update_offset);
1106         break;
1107     }
1108     return false;
1109 }
1110 
1111 static int vnc_update_client(VncState *vs, int has_dirty)
1112 {
1113     VncDisplay *vd = vs->vd;
1114     VncJob *job;
1115     int y;
1116     int height, width;
1117     int n = 0;
1118 
1119     if (vs->disconnecting) {
1120         vnc_disconnect_finish(vs);
1121         return 0;
1122     }
1123 
1124     vs->has_dirty += has_dirty;
1125     if (!vnc_should_update(vs)) {
1126         return 0;
1127     }
1128 
1129     if (!vs->has_dirty && vs->update != VNC_STATE_UPDATE_FORCE) {
1130         return 0;
1131     }
1132 
1133     /*
1134      * Send screen updates to the vnc client using the server
1135      * surface and server dirty map.  guest surface updates
1136      * happening in parallel don't disturb us, the next pass will
1137      * send them to the client.
1138      */
1139     job = vnc_job_new(vs);
1140 
1141     height = pixman_image_get_height(vd->server);
1142     width = pixman_image_get_width(vd->server);
1143 
1144     y = 0;
1145     for (;;) {
1146         int x, h;
1147         unsigned long x2;
1148         unsigned long offset = find_next_bit((unsigned long *) &vs->dirty,
1149                                              height * VNC_DIRTY_BPL(vs),
1150                                              y * VNC_DIRTY_BPL(vs));
1151         if (offset == height * VNC_DIRTY_BPL(vs)) {
1152             /* no more dirty bits */
1153             break;
1154         }
1155         y = offset / VNC_DIRTY_BPL(vs);
1156         x = offset % VNC_DIRTY_BPL(vs);
1157         x2 = find_next_zero_bit((unsigned long *) &vs->dirty[y],
1158                                 VNC_DIRTY_BPL(vs), x);
1159         bitmap_clear(vs->dirty[y], x, x2 - x);
1160         h = find_and_clear_dirty_height(vs, y, x, x2, height);
1161         x2 = MIN(x2, width / VNC_DIRTY_PIXELS_PER_BIT);
1162         if (x2 > x) {
1163             n += vnc_job_add_rect(job, x * VNC_DIRTY_PIXELS_PER_BIT, y,
1164                                   (x2 - x) * VNC_DIRTY_PIXELS_PER_BIT, h);
1165         }
1166         if (!x && x2 == width / VNC_DIRTY_PIXELS_PER_BIT) {
1167             y += h;
1168             if (y == height) {
1169                 break;
1170             }
1171         }
1172     }
1173 
1174     vs->job_update = vs->update;
1175     vs->update = VNC_STATE_UPDATE_NONE;
1176     vnc_job_push(job);
1177     vs->has_dirty = 0;
1178     return n;
1179 }
1180 
1181 /* audio */
1182 static void audio_capture_notify(void *opaque, audcnotification_e cmd)
1183 {
1184     VncState *vs = opaque;
1185 
1186     assert(vs->magic == VNC_MAGIC);
1187     switch (cmd) {
1188     case AUD_CNOTIFY_DISABLE:
1189         vnc_lock_output(vs);
1190         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
1191         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
1192         vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_END);
1193         vnc_unlock_output(vs);
1194         vnc_flush(vs);
1195         break;
1196 
1197     case AUD_CNOTIFY_ENABLE:
1198         vnc_lock_output(vs);
1199         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
1200         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
1201         vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_BEGIN);
1202         vnc_unlock_output(vs);
1203         vnc_flush(vs);
1204         break;
1205     }
1206 }
1207 
1208 static void audio_capture_destroy(void *opaque)
1209 {
1210 }
1211 
1212 static void audio_capture(void *opaque, const void *buf, int size)
1213 {
1214     VncState *vs = opaque;
1215 
1216     assert(vs->magic == VNC_MAGIC);
1217     vnc_lock_output(vs);
1218     if (vs->output.offset < vs->throttle_output_offset) {
1219         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
1220         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
1221         vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_DATA);
1222         vnc_write_u32(vs, size);
1223         vnc_write(vs, buf, size);
1224     } else {
1225         trace_vnc_client_throttle_audio(vs, vs->ioc, vs->output.offset);
1226     }
1227     vnc_unlock_output(vs);
1228     vnc_flush(vs);
1229 }
1230 
1231 static void audio_add(VncState *vs)
1232 {
1233     struct audio_capture_ops ops;
1234 
1235     if (vs->audio_cap) {
1236         error_report("audio already running");
1237         return;
1238     }
1239 
1240     ops.notify = audio_capture_notify;
1241     ops.destroy = audio_capture_destroy;
1242     ops.capture = audio_capture;
1243 
1244     vs->audio_cap = AUD_add_capture(vs->vd->audio_state, &vs->as, &ops, vs);
1245     if (!vs->audio_cap) {
1246         error_report("Failed to add audio capture");
1247     }
1248 }
1249 
1250 static void audio_del(VncState *vs)
1251 {
1252     if (vs->audio_cap) {
1253         AUD_del_capture(vs->audio_cap, vs);
1254         vs->audio_cap = NULL;
1255     }
1256 }
1257 
1258 static void vnc_disconnect_start(VncState *vs)
1259 {
1260     if (vs->disconnecting) {
1261         return;
1262     }
1263     trace_vnc_client_disconnect_start(vs, vs->ioc);
1264     vnc_set_share_mode(vs, VNC_SHARE_MODE_DISCONNECTED);
1265     if (vs->ioc_tag) {
1266         g_source_remove(vs->ioc_tag);
1267         vs->ioc_tag = 0;
1268     }
1269     qio_channel_close(vs->ioc, NULL);
1270     vs->disconnecting = TRUE;
1271 }
1272 
1273 void vnc_disconnect_finish(VncState *vs)
1274 {
1275     int i;
1276 
1277     trace_vnc_client_disconnect_finish(vs, vs->ioc);
1278 
1279     vnc_jobs_join(vs); /* Wait encoding jobs */
1280 
1281     vnc_lock_output(vs);
1282     vnc_qmp_event(vs, QAPI_EVENT_VNC_DISCONNECTED);
1283 
1284     buffer_free(&vs->input);
1285     buffer_free(&vs->output);
1286 
1287     qapi_free_VncClientInfo(vs->info);
1288 
1289     vnc_zlib_clear(vs);
1290     vnc_tight_clear(vs);
1291     vnc_zrle_clear(vs);
1292 
1293 #ifdef CONFIG_VNC_SASL
1294     vnc_sasl_client_cleanup(vs);
1295 #endif /* CONFIG_VNC_SASL */
1296     audio_del(vs);
1297     qkbd_state_lift_all_keys(vs->vd->kbd);
1298 
1299     if (vs->mouse_mode_notifier.notify != NULL) {
1300         qemu_remove_mouse_mode_change_notifier(&vs->mouse_mode_notifier);
1301     }
1302     QTAILQ_REMOVE(&vs->vd->clients, vs, next);
1303     if (QTAILQ_EMPTY(&vs->vd->clients)) {
1304         /* last client gone */
1305         vnc_update_server_surface(vs->vd);
1306     }
1307 
1308     vnc_unlock_output(vs);
1309 
1310     qemu_mutex_destroy(&vs->output_mutex);
1311     if (vs->bh != NULL) {
1312         qemu_bh_delete(vs->bh);
1313     }
1314     buffer_free(&vs->jobs_buffer);
1315 
1316     for (i = 0; i < VNC_STAT_ROWS; ++i) {
1317         g_free(vs->lossy_rect[i]);
1318     }
1319     g_free(vs->lossy_rect);
1320 
1321     object_unref(OBJECT(vs->ioc));
1322     vs->ioc = NULL;
1323     object_unref(OBJECT(vs->sioc));
1324     vs->sioc = NULL;
1325     vs->magic = 0;
1326     g_free(vs->zrle);
1327     g_free(vs->tight);
1328     g_free(vs);
1329 }
1330 
1331 size_t vnc_client_io_error(VncState *vs, ssize_t ret, Error *err)
1332 {
1333     if (ret <= 0) {
1334         if (ret == 0) {
1335             trace_vnc_client_eof(vs, vs->ioc);
1336             vnc_disconnect_start(vs);
1337         } else if (ret != QIO_CHANNEL_ERR_BLOCK) {
1338             trace_vnc_client_io_error(vs, vs->ioc,
1339                                       err ? error_get_pretty(err) : "Unknown");
1340             vnc_disconnect_start(vs);
1341         }
1342 
1343         error_free(err);
1344         return 0;
1345     }
1346     return ret;
1347 }
1348 
1349 
1350 void vnc_client_error(VncState *vs)
1351 {
1352     VNC_DEBUG("Closing down client sock: protocol error\n");
1353     vnc_disconnect_start(vs);
1354 }
1355 
1356 
1357 /*
1358  * Called to write a chunk of data to the client socket. The data may
1359  * be the raw data, or may have already been encoded by SASL.
1360  * The data will be written either straight onto the socket, or
1361  * written via the GNUTLS wrappers, if TLS/SSL encryption is enabled
1362  *
1363  * NB, it is theoretically possible to have 2 layers of encryption,
1364  * both SASL, and this TLS layer. It is highly unlikely in practice
1365  * though, since SASL encryption will typically be a no-op if TLS
1366  * is active
1367  *
1368  * Returns the number of bytes written, which may be less than
1369  * the requested 'datalen' if the socket would block. Returns
1370  * 0 on I/O error, and disconnects the client socket.
1371  */
1372 size_t vnc_client_write_buf(VncState *vs, const uint8_t *data, size_t datalen)
1373 {
1374     Error *err = NULL;
1375     ssize_t ret;
1376     ret = qio_channel_write(vs->ioc, (const char *)data, datalen, &err);
1377     VNC_DEBUG("Wrote wire %p %zd -> %ld\n", data, datalen, ret);
1378     return vnc_client_io_error(vs, ret, err);
1379 }
1380 
1381 
1382 /*
1383  * Called to write buffered data to the client socket, when not
1384  * using any SASL SSF encryption layers. Will write as much data
1385  * as possible without blocking. If all buffered data is written,
1386  * will switch the FD poll() handler back to read monitoring.
1387  *
1388  * Returns the number of bytes written, which may be less than
1389  * the buffered output data if the socket would block.  Returns
1390  * 0 on I/O error, and disconnects the client socket.
1391  */
1392 static size_t vnc_client_write_plain(VncState *vs)
1393 {
1394     size_t offset;
1395     size_t ret;
1396 
1397 #ifdef CONFIG_VNC_SASL
1398     VNC_DEBUG("Write Plain: Pending output %p size %zd offset %zd. Wait SSF %d\n",
1399               vs->output.buffer, vs->output.capacity, vs->output.offset,
1400               vs->sasl.waitWriteSSF);
1401 
1402     if (vs->sasl.conn &&
1403         vs->sasl.runSSF &&
1404         vs->sasl.waitWriteSSF) {
1405         ret = vnc_client_write_buf(vs, vs->output.buffer, vs->sasl.waitWriteSSF);
1406         if (ret)
1407             vs->sasl.waitWriteSSF -= ret;
1408     } else
1409 #endif /* CONFIG_VNC_SASL */
1410         ret = vnc_client_write_buf(vs, vs->output.buffer, vs->output.offset);
1411     if (!ret)
1412         return 0;
1413 
1414     if (ret >= vs->force_update_offset) {
1415         if (vs->force_update_offset != 0) {
1416             trace_vnc_client_unthrottle_forced(vs, vs->ioc);
1417         }
1418         vs->force_update_offset = 0;
1419     } else {
1420         vs->force_update_offset -= ret;
1421     }
1422     offset = vs->output.offset;
1423     buffer_advance(&vs->output, ret);
1424     if (offset >= vs->throttle_output_offset &&
1425         vs->output.offset < vs->throttle_output_offset) {
1426         trace_vnc_client_unthrottle_incremental(vs, vs->ioc, vs->output.offset);
1427     }
1428 
1429     if (vs->output.offset == 0) {
1430         if (vs->ioc_tag) {
1431             g_source_remove(vs->ioc_tag);
1432         }
1433         vs->ioc_tag = qio_channel_add_watch(
1434             vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR,
1435             vnc_client_io, vs, NULL);
1436     }
1437 
1438     return ret;
1439 }
1440 
1441 
1442 /*
1443  * First function called whenever there is data to be written to
1444  * the client socket. Will delegate actual work according to whether
1445  * SASL SSF layers are enabled (thus requiring encryption calls)
1446  */
1447 static void vnc_client_write_locked(VncState *vs)
1448 {
1449 #ifdef CONFIG_VNC_SASL
1450     if (vs->sasl.conn &&
1451         vs->sasl.runSSF &&
1452         !vs->sasl.waitWriteSSF) {
1453         vnc_client_write_sasl(vs);
1454     } else
1455 #endif /* CONFIG_VNC_SASL */
1456     {
1457         vnc_client_write_plain(vs);
1458     }
1459 }
1460 
1461 static void vnc_client_write(VncState *vs)
1462 {
1463     assert(vs->magic == VNC_MAGIC);
1464     vnc_lock_output(vs);
1465     if (vs->output.offset) {
1466         vnc_client_write_locked(vs);
1467     } else if (vs->ioc != NULL) {
1468         if (vs->ioc_tag) {
1469             g_source_remove(vs->ioc_tag);
1470         }
1471         vs->ioc_tag = qio_channel_add_watch(
1472             vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR,
1473             vnc_client_io, vs, NULL);
1474     }
1475     vnc_unlock_output(vs);
1476 }
1477 
1478 void vnc_read_when(VncState *vs, VncReadEvent *func, size_t expecting)
1479 {
1480     vs->read_handler = func;
1481     vs->read_handler_expect = expecting;
1482 }
1483 
1484 
1485 /*
1486  * Called to read a chunk of data from the client socket. The data may
1487  * be the raw data, or may need to be further decoded by SASL.
1488  * The data will be read either straight from to the socket, or
1489  * read via the GNUTLS wrappers, if TLS/SSL encryption is enabled
1490  *
1491  * NB, it is theoretically possible to have 2 layers of encryption,
1492  * both SASL, and this TLS layer. It is highly unlikely in practice
1493  * though, since SASL encryption will typically be a no-op if TLS
1494  * is active
1495  *
1496  * Returns the number of bytes read, which may be less than
1497  * the requested 'datalen' if the socket would block. Returns
1498  * 0 on I/O error or EOF, and disconnects the client socket.
1499  */
1500 size_t vnc_client_read_buf(VncState *vs, uint8_t *data, size_t datalen)
1501 {
1502     ssize_t ret;
1503     Error *err = NULL;
1504     ret = qio_channel_read(vs->ioc, (char *)data, datalen, &err);
1505     VNC_DEBUG("Read wire %p %zd -> %ld\n", data, datalen, ret);
1506     return vnc_client_io_error(vs, ret, err);
1507 }
1508 
1509 
1510 /*
1511  * Called to read data from the client socket to the input buffer,
1512  * when not using any SASL SSF encryption layers. Will read as much
1513  * data as possible without blocking.
1514  *
1515  * Returns the number of bytes read, which may be less than
1516  * the requested 'datalen' if the socket would block. Returns
1517  * 0 on I/O error or EOF, and disconnects the client socket.
1518  */
1519 static size_t vnc_client_read_plain(VncState *vs)
1520 {
1521     size_t ret;
1522     VNC_DEBUG("Read plain %p size %zd offset %zd\n",
1523               vs->input.buffer, vs->input.capacity, vs->input.offset);
1524     buffer_reserve(&vs->input, 4096);
1525     ret = vnc_client_read_buf(vs, buffer_end(&vs->input), 4096);
1526     if (!ret)
1527         return 0;
1528     vs->input.offset += ret;
1529     return ret;
1530 }
1531 
1532 static void vnc_jobs_bh(void *opaque)
1533 {
1534     VncState *vs = opaque;
1535 
1536     assert(vs->magic == VNC_MAGIC);
1537     vnc_jobs_consume_buffer(vs);
1538 }
1539 
1540 /*
1541  * First function called whenever there is more data to be read from
1542  * the client socket. Will delegate actual work according to whether
1543  * SASL SSF layers are enabled (thus requiring decryption calls)
1544  * Returns 0 on success, -1 if client disconnected
1545  */
1546 static int vnc_client_read(VncState *vs)
1547 {
1548     size_t ret;
1549 
1550 #ifdef CONFIG_VNC_SASL
1551     if (vs->sasl.conn && vs->sasl.runSSF)
1552         ret = vnc_client_read_sasl(vs);
1553     else
1554 #endif /* CONFIG_VNC_SASL */
1555         ret = vnc_client_read_plain(vs);
1556     if (!ret) {
1557         if (vs->disconnecting) {
1558             vnc_disconnect_finish(vs);
1559             return -1;
1560         }
1561         return 0;
1562     }
1563 
1564     while (vs->read_handler && vs->input.offset >= vs->read_handler_expect) {
1565         size_t len = vs->read_handler_expect;
1566         int ret;
1567 
1568         ret = vs->read_handler(vs, vs->input.buffer, len);
1569         if (vs->disconnecting) {
1570             vnc_disconnect_finish(vs);
1571             return -1;
1572         }
1573 
1574         if (!ret) {
1575             buffer_advance(&vs->input, len);
1576         } else {
1577             vs->read_handler_expect = ret;
1578         }
1579     }
1580     return 0;
1581 }
1582 
1583 gboolean vnc_client_io(QIOChannel *ioc G_GNUC_UNUSED,
1584                        GIOCondition condition, void *opaque)
1585 {
1586     VncState *vs = opaque;
1587 
1588     assert(vs->magic == VNC_MAGIC);
1589 
1590     if (condition & (G_IO_HUP | G_IO_ERR)) {
1591         vnc_disconnect_start(vs);
1592         return TRUE;
1593     }
1594 
1595     if (condition & G_IO_IN) {
1596         if (vnc_client_read(vs) < 0) {
1597             /* vs is free()ed here */
1598             return TRUE;
1599         }
1600     }
1601     if (condition & G_IO_OUT) {
1602         vnc_client_write(vs);
1603     }
1604 
1605     if (vs->disconnecting) {
1606         if (vs->ioc_tag != 0) {
1607             g_source_remove(vs->ioc_tag);
1608         }
1609         vs->ioc_tag = 0;
1610     }
1611     return TRUE;
1612 }
1613 
1614 
1615 /*
1616  * Scale factor to apply to vs->throttle_output_offset when checking for
1617  * hard limit. Worst case normal usage could be x2, if we have a complete
1618  * incremental update and complete forced update in the output buffer.
1619  * So x3 should be good enough, but we pick x5 to be conservative and thus
1620  * (hopefully) never trigger incorrectly.
1621  */
1622 #define VNC_THROTTLE_OUTPUT_LIMIT_SCALE 5
1623 
1624 void vnc_write(VncState *vs, const void *data, size_t len)
1625 {
1626     assert(vs->magic == VNC_MAGIC);
1627     if (vs->disconnecting) {
1628         return;
1629     }
1630     /* Protection against malicious client/guest to prevent our output
1631      * buffer growing without bound if client stops reading data. This
1632      * should rarely trigger, because we have earlier throttling code
1633      * which stops issuing framebuffer updates and drops audio data
1634      * if the throttle_output_offset value is exceeded. So we only reach
1635      * this higher level if a huge number of pseudo-encodings get
1636      * triggered while data can't be sent on the socket.
1637      *
1638      * NB throttle_output_offset can be zero during early protocol
1639      * handshake, or from the job thread's VncState clone
1640      */
1641     if (vs->throttle_output_offset != 0 &&
1642         (vs->output.offset / VNC_THROTTLE_OUTPUT_LIMIT_SCALE) >
1643         vs->throttle_output_offset) {
1644         trace_vnc_client_output_limit(vs, vs->ioc, vs->output.offset,
1645                                       vs->throttle_output_offset);
1646         vnc_disconnect_start(vs);
1647         return;
1648     }
1649     buffer_reserve(&vs->output, len);
1650 
1651     if (vs->ioc != NULL && buffer_empty(&vs->output)) {
1652         if (vs->ioc_tag) {
1653             g_source_remove(vs->ioc_tag);
1654         }
1655         vs->ioc_tag = qio_channel_add_watch(
1656             vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR | G_IO_OUT,
1657             vnc_client_io, vs, NULL);
1658     }
1659 
1660     buffer_append(&vs->output, data, len);
1661 }
1662 
1663 void vnc_write_s32(VncState *vs, int32_t value)
1664 {
1665     vnc_write_u32(vs, *(uint32_t *)&value);
1666 }
1667 
1668 void vnc_write_u32(VncState *vs, uint32_t value)
1669 {
1670     uint8_t buf[4];
1671 
1672     buf[0] = (value >> 24) & 0xFF;
1673     buf[1] = (value >> 16) & 0xFF;
1674     buf[2] = (value >>  8) & 0xFF;
1675     buf[3] = value & 0xFF;
1676 
1677     vnc_write(vs, buf, 4);
1678 }
1679 
1680 void vnc_write_u16(VncState *vs, uint16_t value)
1681 {
1682     uint8_t buf[2];
1683 
1684     buf[0] = (value >> 8) & 0xFF;
1685     buf[1] = value & 0xFF;
1686 
1687     vnc_write(vs, buf, 2);
1688 }
1689 
1690 void vnc_write_u8(VncState *vs, uint8_t value)
1691 {
1692     vnc_write(vs, (char *)&value, 1);
1693 }
1694 
1695 void vnc_flush(VncState *vs)
1696 {
1697     vnc_lock_output(vs);
1698     if (vs->ioc != NULL && vs->output.offset) {
1699         vnc_client_write_locked(vs);
1700     }
1701     if (vs->disconnecting) {
1702         if (vs->ioc_tag != 0) {
1703             g_source_remove(vs->ioc_tag);
1704         }
1705         vs->ioc_tag = 0;
1706     }
1707     vnc_unlock_output(vs);
1708 }
1709 
1710 static uint8_t read_u8(uint8_t *data, size_t offset)
1711 {
1712     return data[offset];
1713 }
1714 
1715 static uint16_t read_u16(uint8_t *data, size_t offset)
1716 {
1717     return ((data[offset] & 0xFF) << 8) | (data[offset + 1] & 0xFF);
1718 }
1719 
1720 static int32_t read_s32(uint8_t *data, size_t offset)
1721 {
1722     return (int32_t)((data[offset] << 24) | (data[offset + 1] << 16) |
1723                      (data[offset + 2] << 8) | data[offset + 3]);
1724 }
1725 
1726 uint32_t read_u32(uint8_t *data, size_t offset)
1727 {
1728     return ((data[offset] << 24) | (data[offset + 1] << 16) |
1729             (data[offset + 2] << 8) | data[offset + 3]);
1730 }
1731 
1732 static void client_cut_text(VncState *vs, size_t len, uint8_t *text)
1733 {
1734 }
1735 
1736 static void check_pointer_type_change(Notifier *notifier, void *data)
1737 {
1738     VncState *vs = container_of(notifier, VncState, mouse_mode_notifier);
1739     int absolute = qemu_input_is_absolute();
1740 
1741     if (vnc_has_feature(vs, VNC_FEATURE_POINTER_TYPE_CHANGE) && vs->absolute != absolute) {
1742         vnc_lock_output(vs);
1743         vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1744         vnc_write_u8(vs, 0);
1745         vnc_write_u16(vs, 1);
1746         vnc_framebuffer_update(vs, absolute, 0,
1747                                pixman_image_get_width(vs->vd->server),
1748                                pixman_image_get_height(vs->vd->server),
1749                                VNC_ENCODING_POINTER_TYPE_CHANGE);
1750         vnc_unlock_output(vs);
1751         vnc_flush(vs);
1752     }
1753     vs->absolute = absolute;
1754 }
1755 
1756 static void pointer_event(VncState *vs, int button_mask, int x, int y)
1757 {
1758     static uint32_t bmap[INPUT_BUTTON__MAX] = {
1759         [INPUT_BUTTON_LEFT]       = 0x01,
1760         [INPUT_BUTTON_MIDDLE]     = 0x02,
1761         [INPUT_BUTTON_RIGHT]      = 0x04,
1762         [INPUT_BUTTON_WHEEL_UP]   = 0x08,
1763         [INPUT_BUTTON_WHEEL_DOWN] = 0x10,
1764     };
1765     QemuConsole *con = vs->vd->dcl.con;
1766     int width = pixman_image_get_width(vs->vd->server);
1767     int height = pixman_image_get_height(vs->vd->server);
1768 
1769     if (vs->last_bmask != button_mask) {
1770         qemu_input_update_buttons(con, bmap, vs->last_bmask, button_mask);
1771         vs->last_bmask = button_mask;
1772     }
1773 
1774     if (vs->absolute) {
1775         qemu_input_queue_abs(con, INPUT_AXIS_X, x, 0, width);
1776         qemu_input_queue_abs(con, INPUT_AXIS_Y, y, 0, height);
1777     } else if (vnc_has_feature(vs, VNC_FEATURE_POINTER_TYPE_CHANGE)) {
1778         qemu_input_queue_rel(con, INPUT_AXIS_X, x - 0x7FFF);
1779         qemu_input_queue_rel(con, INPUT_AXIS_Y, y - 0x7FFF);
1780     } else {
1781         if (vs->last_x != -1) {
1782             qemu_input_queue_rel(con, INPUT_AXIS_X, x - vs->last_x);
1783             qemu_input_queue_rel(con, INPUT_AXIS_Y, y - vs->last_y);
1784         }
1785         vs->last_x = x;
1786         vs->last_y = y;
1787     }
1788     qemu_input_event_sync();
1789 }
1790 
1791 static void press_key(VncState *vs, QKeyCode qcode)
1792 {
1793     qkbd_state_key_event(vs->vd->kbd, qcode, true);
1794     qkbd_state_key_event(vs->vd->kbd, qcode, false);
1795 }
1796 
1797 static void vnc_led_state_change(VncState *vs)
1798 {
1799     if (!vnc_has_feature(vs, VNC_FEATURE_LED_STATE)) {
1800         return;
1801     }
1802 
1803     vnc_lock_output(vs);
1804     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1805     vnc_write_u8(vs, 0);
1806     vnc_write_u16(vs, 1);
1807     vnc_framebuffer_update(vs, 0, 0, 1, 1, VNC_ENCODING_LED_STATE);
1808     vnc_write_u8(vs, vs->vd->ledstate);
1809     vnc_unlock_output(vs);
1810     vnc_flush(vs);
1811 }
1812 
1813 static void kbd_leds(void *opaque, int ledstate)
1814 {
1815     VncDisplay *vd = opaque;
1816     VncState *client;
1817 
1818     trace_vnc_key_guest_leds((ledstate & QEMU_CAPS_LOCK_LED),
1819                              (ledstate & QEMU_NUM_LOCK_LED),
1820                              (ledstate & QEMU_SCROLL_LOCK_LED));
1821 
1822     if (ledstate == vd->ledstate) {
1823         return;
1824     }
1825 
1826     vd->ledstate = ledstate;
1827 
1828     QTAILQ_FOREACH(client, &vd->clients, next) {
1829         vnc_led_state_change(client);
1830     }
1831 }
1832 
1833 static void do_key_event(VncState *vs, int down, int keycode, int sym)
1834 {
1835     QKeyCode qcode = qemu_input_key_number_to_qcode(keycode);
1836 
1837     /* QEMU console switch */
1838     switch (qcode) {
1839     case Q_KEY_CODE_1 ... Q_KEY_CODE_9: /* '1' to '9' keys */
1840         if (vs->vd->dcl.con == NULL && down &&
1841             qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_CTRL) &&
1842             qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_ALT)) {
1843             /* Reset the modifiers sent to the current console */
1844             qkbd_state_lift_all_keys(vs->vd->kbd);
1845             console_select(qcode - Q_KEY_CODE_1);
1846             return;
1847         }
1848     default:
1849         break;
1850     }
1851 
1852     /* Turn off the lock state sync logic if the client support the led
1853        state extension.
1854     */
1855     if (down && vs->vd->lock_key_sync &&
1856         !vnc_has_feature(vs, VNC_FEATURE_LED_STATE) &&
1857         keycode_is_keypad(vs->vd->kbd_layout, keycode)) {
1858         /* If the numlock state needs to change then simulate an additional
1859            keypress before sending this one.  This will happen if the user
1860            toggles numlock away from the VNC window.
1861         */
1862         if (keysym_is_numlock(vs->vd->kbd_layout, sym & 0xFFFF)) {
1863             if (!qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_NUMLOCK)) {
1864                 trace_vnc_key_sync_numlock(true);
1865                 press_key(vs, Q_KEY_CODE_NUM_LOCK);
1866             }
1867         } else {
1868             if (qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_NUMLOCK)) {
1869                 trace_vnc_key_sync_numlock(false);
1870                 press_key(vs, Q_KEY_CODE_NUM_LOCK);
1871             }
1872         }
1873     }
1874 
1875     if (down && vs->vd->lock_key_sync &&
1876         !vnc_has_feature(vs, VNC_FEATURE_LED_STATE) &&
1877         ((sym >= 'A' && sym <= 'Z') || (sym >= 'a' && sym <= 'z'))) {
1878         /* If the capslock state needs to change then simulate an additional
1879            keypress before sending this one.  This will happen if the user
1880            toggles capslock away from the VNC window.
1881         */
1882         int uppercase = !!(sym >= 'A' && sym <= 'Z');
1883         bool shift = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_SHIFT);
1884         bool capslock = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_CAPSLOCK);
1885         if (capslock) {
1886             if (uppercase == shift) {
1887                 trace_vnc_key_sync_capslock(false);
1888                 press_key(vs, Q_KEY_CODE_CAPS_LOCK);
1889             }
1890         } else {
1891             if (uppercase != shift) {
1892                 trace_vnc_key_sync_capslock(true);
1893                 press_key(vs, Q_KEY_CODE_CAPS_LOCK);
1894             }
1895         }
1896     }
1897 
1898     qkbd_state_key_event(vs->vd->kbd, qcode, down);
1899     if (!qemu_console_is_graphic(NULL)) {
1900         bool numlock = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_NUMLOCK);
1901         bool control = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_CTRL);
1902         /* QEMU console emulation */
1903         if (down) {
1904             switch (keycode) {
1905             case 0x2a:                          /* Left Shift */
1906             case 0x36:                          /* Right Shift */
1907             case 0x1d:                          /* Left CTRL */
1908             case 0x9d:                          /* Right CTRL */
1909             case 0x38:                          /* Left ALT */
1910             case 0xb8:                          /* Right ALT */
1911                 break;
1912             case 0xc8:
1913                 kbd_put_keysym(QEMU_KEY_UP);
1914                 break;
1915             case 0xd0:
1916                 kbd_put_keysym(QEMU_KEY_DOWN);
1917                 break;
1918             case 0xcb:
1919                 kbd_put_keysym(QEMU_KEY_LEFT);
1920                 break;
1921             case 0xcd:
1922                 kbd_put_keysym(QEMU_KEY_RIGHT);
1923                 break;
1924             case 0xd3:
1925                 kbd_put_keysym(QEMU_KEY_DELETE);
1926                 break;
1927             case 0xc7:
1928                 kbd_put_keysym(QEMU_KEY_HOME);
1929                 break;
1930             case 0xcf:
1931                 kbd_put_keysym(QEMU_KEY_END);
1932                 break;
1933             case 0xc9:
1934                 kbd_put_keysym(QEMU_KEY_PAGEUP);
1935                 break;
1936             case 0xd1:
1937                 kbd_put_keysym(QEMU_KEY_PAGEDOWN);
1938                 break;
1939 
1940             case 0x47:
1941                 kbd_put_keysym(numlock ? '7' : QEMU_KEY_HOME);
1942                 break;
1943             case 0x48:
1944                 kbd_put_keysym(numlock ? '8' : QEMU_KEY_UP);
1945                 break;
1946             case 0x49:
1947                 kbd_put_keysym(numlock ? '9' : QEMU_KEY_PAGEUP);
1948                 break;
1949             case 0x4b:
1950                 kbd_put_keysym(numlock ? '4' : QEMU_KEY_LEFT);
1951                 break;
1952             case 0x4c:
1953                 kbd_put_keysym('5');
1954                 break;
1955             case 0x4d:
1956                 kbd_put_keysym(numlock ? '6' : QEMU_KEY_RIGHT);
1957                 break;
1958             case 0x4f:
1959                 kbd_put_keysym(numlock ? '1' : QEMU_KEY_END);
1960                 break;
1961             case 0x50:
1962                 kbd_put_keysym(numlock ? '2' : QEMU_KEY_DOWN);
1963                 break;
1964             case 0x51:
1965                 kbd_put_keysym(numlock ? '3' : QEMU_KEY_PAGEDOWN);
1966                 break;
1967             case 0x52:
1968                 kbd_put_keysym('0');
1969                 break;
1970             case 0x53:
1971                 kbd_put_keysym(numlock ? '.' : QEMU_KEY_DELETE);
1972                 break;
1973 
1974             case 0xb5:
1975                 kbd_put_keysym('/');
1976                 break;
1977             case 0x37:
1978                 kbd_put_keysym('*');
1979                 break;
1980             case 0x4a:
1981                 kbd_put_keysym('-');
1982                 break;
1983             case 0x4e:
1984                 kbd_put_keysym('+');
1985                 break;
1986             case 0x9c:
1987                 kbd_put_keysym('\n');
1988                 break;
1989 
1990             default:
1991                 if (control) {
1992                     kbd_put_keysym(sym & 0x1f);
1993                 } else {
1994                     kbd_put_keysym(sym);
1995                 }
1996                 break;
1997             }
1998         }
1999     }
2000 }
2001 
2002 static const char *code2name(int keycode)
2003 {
2004     return QKeyCode_str(qemu_input_key_number_to_qcode(keycode));
2005 }
2006 
2007 static void key_event(VncState *vs, int down, uint32_t sym)
2008 {
2009     int keycode;
2010     int lsym = sym;
2011 
2012     if (lsym >= 'A' && lsym <= 'Z' && qemu_console_is_graphic(NULL)) {
2013         lsym = lsym - 'A' + 'a';
2014     }
2015 
2016     keycode = keysym2scancode(vs->vd->kbd_layout, lsym & 0xFFFF,
2017                               vs->vd->kbd, down) & SCANCODE_KEYMASK;
2018     trace_vnc_key_event_map(down, sym, keycode, code2name(keycode));
2019     do_key_event(vs, down, keycode, sym);
2020 }
2021 
2022 static void ext_key_event(VncState *vs, int down,
2023                           uint32_t sym, uint16_t keycode)
2024 {
2025     /* if the user specifies a keyboard layout, always use it */
2026     if (keyboard_layout) {
2027         key_event(vs, down, sym);
2028     } else {
2029         trace_vnc_key_event_ext(down, sym, keycode, code2name(keycode));
2030         do_key_event(vs, down, keycode, sym);
2031     }
2032 }
2033 
2034 static void framebuffer_update_request(VncState *vs, int incremental,
2035                                        int x, int y, int w, int h)
2036 {
2037     if (incremental) {
2038         if (vs->update != VNC_STATE_UPDATE_FORCE) {
2039             vs->update = VNC_STATE_UPDATE_INCREMENTAL;
2040         }
2041     } else {
2042         vs->update = VNC_STATE_UPDATE_FORCE;
2043         vnc_set_area_dirty(vs->dirty, vs->vd, x, y, w, h);
2044         vnc_colordepth(vs);
2045         vnc_desktop_resize(vs);
2046         vnc_led_state_change(vs);
2047         vnc_cursor_define(vs);
2048     }
2049 }
2050 
2051 static void send_ext_key_event_ack(VncState *vs)
2052 {
2053     vnc_lock_output(vs);
2054     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
2055     vnc_write_u8(vs, 0);
2056     vnc_write_u16(vs, 1);
2057     vnc_framebuffer_update(vs, 0, 0,
2058                            pixman_image_get_width(vs->vd->server),
2059                            pixman_image_get_height(vs->vd->server),
2060                            VNC_ENCODING_EXT_KEY_EVENT);
2061     vnc_unlock_output(vs);
2062     vnc_flush(vs);
2063 }
2064 
2065 static void send_ext_audio_ack(VncState *vs)
2066 {
2067     vnc_lock_output(vs);
2068     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
2069     vnc_write_u8(vs, 0);
2070     vnc_write_u16(vs, 1);
2071     vnc_framebuffer_update(vs, 0, 0,
2072                            pixman_image_get_width(vs->vd->server),
2073                            pixman_image_get_height(vs->vd->server),
2074                            VNC_ENCODING_AUDIO);
2075     vnc_unlock_output(vs);
2076     vnc_flush(vs);
2077 }
2078 
2079 static void send_xvp_message(VncState *vs, int code)
2080 {
2081     vnc_lock_output(vs);
2082     vnc_write_u8(vs, VNC_MSG_SERVER_XVP);
2083     vnc_write_u8(vs, 0); /* pad */
2084     vnc_write_u8(vs, 1); /* version */
2085     vnc_write_u8(vs, code);
2086     vnc_unlock_output(vs);
2087     vnc_flush(vs);
2088 }
2089 
2090 static void set_encodings(VncState *vs, int32_t *encodings, size_t n_encodings)
2091 {
2092     int i;
2093     unsigned int enc = 0;
2094 
2095     vs->features = 0;
2096     vs->vnc_encoding = 0;
2097     vs->tight->compression = 9;
2098     vs->tight->quality = -1; /* Lossless by default */
2099     vs->absolute = -1;
2100 
2101     /*
2102      * Start from the end because the encodings are sent in order of preference.
2103      * This way the preferred encoding (first encoding defined in the array)
2104      * will be set at the end of the loop.
2105      */
2106     for (i = n_encodings - 1; i >= 0; i--) {
2107         enc = encodings[i];
2108         switch (enc) {
2109         case VNC_ENCODING_RAW:
2110             vs->vnc_encoding = enc;
2111             break;
2112         case VNC_ENCODING_HEXTILE:
2113             vs->features |= VNC_FEATURE_HEXTILE_MASK;
2114             vs->vnc_encoding = enc;
2115             break;
2116         case VNC_ENCODING_TIGHT:
2117             vs->features |= VNC_FEATURE_TIGHT_MASK;
2118             vs->vnc_encoding = enc;
2119             break;
2120 #ifdef CONFIG_VNC_PNG
2121         case VNC_ENCODING_TIGHT_PNG:
2122             vs->features |= VNC_FEATURE_TIGHT_PNG_MASK;
2123             vs->vnc_encoding = enc;
2124             break;
2125 #endif
2126         case VNC_ENCODING_ZLIB:
2127             /*
2128              * VNC_ENCODING_ZRLE compresses better than VNC_ENCODING_ZLIB.
2129              * So prioritize ZRLE, even if the client hints that it prefers
2130              * ZLIB.
2131              */
2132             if ((vs->features & VNC_FEATURE_ZRLE_MASK) == 0) {
2133                 vs->features |= VNC_FEATURE_ZLIB_MASK;
2134                 vs->vnc_encoding = enc;
2135             }
2136             break;
2137         case VNC_ENCODING_ZRLE:
2138             vs->features |= VNC_FEATURE_ZRLE_MASK;
2139             vs->vnc_encoding = enc;
2140             break;
2141         case VNC_ENCODING_ZYWRLE:
2142             vs->features |= VNC_FEATURE_ZYWRLE_MASK;
2143             vs->vnc_encoding = enc;
2144             break;
2145         case VNC_ENCODING_DESKTOPRESIZE:
2146             vs->features |= VNC_FEATURE_RESIZE_MASK;
2147             break;
2148         case VNC_ENCODING_DESKTOP_RESIZE_EXT:
2149             vs->features |= VNC_FEATURE_RESIZE_EXT_MASK;
2150             break;
2151         case VNC_ENCODING_POINTER_TYPE_CHANGE:
2152             vs->features |= VNC_FEATURE_POINTER_TYPE_CHANGE_MASK;
2153             break;
2154         case VNC_ENCODING_RICH_CURSOR:
2155             vs->features |= VNC_FEATURE_RICH_CURSOR_MASK;
2156             break;
2157         case VNC_ENCODING_ALPHA_CURSOR:
2158             vs->features |= VNC_FEATURE_ALPHA_CURSOR_MASK;
2159             break;
2160         case VNC_ENCODING_EXT_KEY_EVENT:
2161             send_ext_key_event_ack(vs);
2162             break;
2163         case VNC_ENCODING_AUDIO:
2164             send_ext_audio_ack(vs);
2165             break;
2166         case VNC_ENCODING_WMVi:
2167             vs->features |= VNC_FEATURE_WMVI_MASK;
2168             break;
2169         case VNC_ENCODING_LED_STATE:
2170             vs->features |= VNC_FEATURE_LED_STATE_MASK;
2171             break;
2172         case VNC_ENCODING_XVP:
2173             if (vs->vd->power_control) {
2174                 vs->features |= VNC_FEATURE_XVP;
2175                 send_xvp_message(vs, VNC_XVP_CODE_INIT);
2176             }
2177             break;
2178         case VNC_ENCODING_COMPRESSLEVEL0 ... VNC_ENCODING_COMPRESSLEVEL0 + 9:
2179             vs->tight->compression = (enc & 0x0F);
2180             break;
2181         case VNC_ENCODING_QUALITYLEVEL0 ... VNC_ENCODING_QUALITYLEVEL0 + 9:
2182             if (vs->vd->lossy) {
2183                 vs->tight->quality = (enc & 0x0F);
2184             }
2185             break;
2186         default:
2187             VNC_DEBUG("Unknown encoding: %d (0x%.8x): %d\n", i, enc, enc);
2188             break;
2189         }
2190     }
2191     check_pointer_type_change(&vs->mouse_mode_notifier, NULL);
2192 }
2193 
2194 static void set_pixel_conversion(VncState *vs)
2195 {
2196     pixman_format_code_t fmt = qemu_pixman_get_format(&vs->client_pf);
2197 
2198     if (fmt == VNC_SERVER_FB_FORMAT) {
2199         vs->write_pixels = vnc_write_pixels_copy;
2200         vnc_hextile_set_pixel_conversion(vs, 0);
2201     } else {
2202         vs->write_pixels = vnc_write_pixels_generic;
2203         vnc_hextile_set_pixel_conversion(vs, 1);
2204     }
2205 }
2206 
2207 static void send_color_map(VncState *vs)
2208 {
2209     int i;
2210 
2211     vnc_lock_output(vs);
2212     vnc_write_u8(vs, VNC_MSG_SERVER_SET_COLOUR_MAP_ENTRIES);
2213     vnc_write_u8(vs,  0);    /* padding     */
2214     vnc_write_u16(vs, 0);    /* first color */
2215     vnc_write_u16(vs, 256);  /* # of colors */
2216 
2217     for (i = 0; i < 256; i++) {
2218         PixelFormat *pf = &vs->client_pf;
2219 
2220         vnc_write_u16(vs, (((i >> pf->rshift) & pf->rmax) << (16 - pf->rbits)));
2221         vnc_write_u16(vs, (((i >> pf->gshift) & pf->gmax) << (16 - pf->gbits)));
2222         vnc_write_u16(vs, (((i >> pf->bshift) & pf->bmax) << (16 - pf->bbits)));
2223     }
2224     vnc_unlock_output(vs);
2225 }
2226 
2227 static void set_pixel_format(VncState *vs, int bits_per_pixel,
2228                              int big_endian_flag, int true_color_flag,
2229                              int red_max, int green_max, int blue_max,
2230                              int red_shift, int green_shift, int blue_shift)
2231 {
2232     if (!true_color_flag) {
2233         /* Expose a reasonable default 256 color map */
2234         bits_per_pixel = 8;
2235         red_max = 7;
2236         green_max = 7;
2237         blue_max = 3;
2238         red_shift = 0;
2239         green_shift = 3;
2240         blue_shift = 6;
2241     }
2242 
2243     switch (bits_per_pixel) {
2244     case 8:
2245     case 16:
2246     case 32:
2247         break;
2248     default:
2249         vnc_client_error(vs);
2250         return;
2251     }
2252 
2253     vs->client_pf.rmax = red_max ? red_max : 0xFF;
2254     vs->client_pf.rbits = ctpopl(red_max);
2255     vs->client_pf.rshift = red_shift;
2256     vs->client_pf.rmask = red_max << red_shift;
2257     vs->client_pf.gmax = green_max ? green_max : 0xFF;
2258     vs->client_pf.gbits = ctpopl(green_max);
2259     vs->client_pf.gshift = green_shift;
2260     vs->client_pf.gmask = green_max << green_shift;
2261     vs->client_pf.bmax = blue_max ? blue_max : 0xFF;
2262     vs->client_pf.bbits = ctpopl(blue_max);
2263     vs->client_pf.bshift = blue_shift;
2264     vs->client_pf.bmask = blue_max << blue_shift;
2265     vs->client_pf.bits_per_pixel = bits_per_pixel;
2266     vs->client_pf.bytes_per_pixel = bits_per_pixel / 8;
2267     vs->client_pf.depth = bits_per_pixel == 32 ? 24 : bits_per_pixel;
2268     vs->client_be = big_endian_flag;
2269 
2270     if (!true_color_flag) {
2271         send_color_map(vs);
2272     }
2273 
2274     set_pixel_conversion(vs);
2275 
2276     graphic_hw_invalidate(vs->vd->dcl.con);
2277     graphic_hw_update(vs->vd->dcl.con);
2278 }
2279 
2280 static void pixel_format_message (VncState *vs) {
2281     char pad[3] = { 0, 0, 0 };
2282 
2283     vs->client_pf = qemu_default_pixelformat(32);
2284 
2285     vnc_write_u8(vs, vs->client_pf.bits_per_pixel); /* bits-per-pixel */
2286     vnc_write_u8(vs, vs->client_pf.depth); /* depth */
2287 
2288 #ifdef HOST_WORDS_BIGENDIAN
2289     vnc_write_u8(vs, 1);             /* big-endian-flag */
2290 #else
2291     vnc_write_u8(vs, 0);             /* big-endian-flag */
2292 #endif
2293     vnc_write_u8(vs, 1);             /* true-color-flag */
2294     vnc_write_u16(vs, vs->client_pf.rmax);     /* red-max */
2295     vnc_write_u16(vs, vs->client_pf.gmax);     /* green-max */
2296     vnc_write_u16(vs, vs->client_pf.bmax);     /* blue-max */
2297     vnc_write_u8(vs, vs->client_pf.rshift);    /* red-shift */
2298     vnc_write_u8(vs, vs->client_pf.gshift);    /* green-shift */
2299     vnc_write_u8(vs, vs->client_pf.bshift);    /* blue-shift */
2300     vnc_write(vs, pad, 3);           /* padding */
2301 
2302     vnc_hextile_set_pixel_conversion(vs, 0);
2303     vs->write_pixels = vnc_write_pixels_copy;
2304 }
2305 
2306 static void vnc_colordepth(VncState *vs)
2307 {
2308     if (vnc_has_feature(vs, VNC_FEATURE_WMVI)) {
2309         /* Sending a WMVi message to notify the client*/
2310         vnc_lock_output(vs);
2311         vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
2312         vnc_write_u8(vs, 0);
2313         vnc_write_u16(vs, 1); /* number of rects */
2314         vnc_framebuffer_update(vs, 0, 0,
2315                                pixman_image_get_width(vs->vd->server),
2316                                pixman_image_get_height(vs->vd->server),
2317                                VNC_ENCODING_WMVi);
2318         pixel_format_message(vs);
2319         vnc_unlock_output(vs);
2320         vnc_flush(vs);
2321     } else {
2322         set_pixel_conversion(vs);
2323     }
2324 }
2325 
2326 static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len)
2327 {
2328     int i;
2329     uint16_t limit;
2330     uint32_t freq;
2331     VncDisplay *vd = vs->vd;
2332 
2333     if (data[0] > 3) {
2334         update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
2335     }
2336 
2337     switch (data[0]) {
2338     case VNC_MSG_CLIENT_SET_PIXEL_FORMAT:
2339         if (len == 1)
2340             return 20;
2341 
2342         set_pixel_format(vs, read_u8(data, 4),
2343                          read_u8(data, 6), read_u8(data, 7),
2344                          read_u16(data, 8), read_u16(data, 10),
2345                          read_u16(data, 12), read_u8(data, 14),
2346                          read_u8(data, 15), read_u8(data, 16));
2347         break;
2348     case VNC_MSG_CLIENT_SET_ENCODINGS:
2349         if (len == 1)
2350             return 4;
2351 
2352         if (len == 4) {
2353             limit = read_u16(data, 2);
2354             if (limit > 0)
2355                 return 4 + (limit * 4);
2356         } else
2357             limit = read_u16(data, 2);
2358 
2359         for (i = 0; i < limit; i++) {
2360             int32_t val = read_s32(data, 4 + (i * 4));
2361             memcpy(data + 4 + (i * 4), &val, sizeof(val));
2362         }
2363 
2364         set_encodings(vs, (int32_t *)(data + 4), limit);
2365         break;
2366     case VNC_MSG_CLIENT_FRAMEBUFFER_UPDATE_REQUEST:
2367         if (len == 1)
2368             return 10;
2369 
2370         framebuffer_update_request(vs,
2371                                    read_u8(data, 1), read_u16(data, 2), read_u16(data, 4),
2372                                    read_u16(data, 6), read_u16(data, 8));
2373         break;
2374     case VNC_MSG_CLIENT_KEY_EVENT:
2375         if (len == 1)
2376             return 8;
2377 
2378         key_event(vs, read_u8(data, 1), read_u32(data, 4));
2379         break;
2380     case VNC_MSG_CLIENT_POINTER_EVENT:
2381         if (len == 1)
2382             return 6;
2383 
2384         pointer_event(vs, read_u8(data, 1), read_u16(data, 2), read_u16(data, 4));
2385         break;
2386     case VNC_MSG_CLIENT_CUT_TEXT:
2387         if (len == 1) {
2388             return 8;
2389         }
2390         if (len == 8) {
2391             uint32_t dlen = read_u32(data, 4);
2392             if (dlen > (1 << 20)) {
2393                 error_report("vnc: client_cut_text msg payload has %u bytes"
2394                              " which exceeds our limit of 1MB.", dlen);
2395                 vnc_client_error(vs);
2396                 break;
2397             }
2398             if (dlen > 0) {
2399                 return 8 + dlen;
2400             }
2401         }
2402 
2403         client_cut_text(vs, read_u32(data, 4), data + 8);
2404         break;
2405     case VNC_MSG_CLIENT_XVP:
2406         if (!(vs->features & VNC_FEATURE_XVP)) {
2407             error_report("vnc: xvp client message while disabled");
2408             vnc_client_error(vs);
2409             break;
2410         }
2411         if (len == 1) {
2412             return 4;
2413         }
2414         if (len == 4) {
2415             uint8_t version = read_u8(data, 2);
2416             uint8_t action = read_u8(data, 3);
2417 
2418             if (version != 1) {
2419                 error_report("vnc: xvp client message version %d != 1",
2420                              version);
2421                 vnc_client_error(vs);
2422                 break;
2423             }
2424 
2425             switch (action) {
2426             case VNC_XVP_ACTION_SHUTDOWN:
2427                 qemu_system_powerdown_request();
2428                 break;
2429             case VNC_XVP_ACTION_REBOOT:
2430                 send_xvp_message(vs, VNC_XVP_CODE_FAIL);
2431                 break;
2432             case VNC_XVP_ACTION_RESET:
2433                 qemu_system_reset_request(SHUTDOWN_CAUSE_HOST_QMP_SYSTEM_RESET);
2434                 break;
2435             default:
2436                 send_xvp_message(vs, VNC_XVP_CODE_FAIL);
2437                 break;
2438             }
2439         }
2440         break;
2441     case VNC_MSG_CLIENT_QEMU:
2442         if (len == 1)
2443             return 2;
2444 
2445         switch (read_u8(data, 1)) {
2446         case VNC_MSG_CLIENT_QEMU_EXT_KEY_EVENT:
2447             if (len == 2)
2448                 return 12;
2449 
2450             ext_key_event(vs, read_u16(data, 2),
2451                           read_u32(data, 4), read_u32(data, 8));
2452             break;
2453         case VNC_MSG_CLIENT_QEMU_AUDIO:
2454             if (len == 2)
2455                 return 4;
2456 
2457             switch (read_u16 (data, 2)) {
2458             case VNC_MSG_CLIENT_QEMU_AUDIO_ENABLE:
2459                 audio_add(vs);
2460                 break;
2461             case VNC_MSG_CLIENT_QEMU_AUDIO_DISABLE:
2462                 audio_del(vs);
2463                 break;
2464             case VNC_MSG_CLIENT_QEMU_AUDIO_SET_FORMAT:
2465                 if (len == 4)
2466                     return 10;
2467                 switch (read_u8(data, 4)) {
2468                 case 0: vs->as.fmt = AUDIO_FORMAT_U8; break;
2469                 case 1: vs->as.fmt = AUDIO_FORMAT_S8; break;
2470                 case 2: vs->as.fmt = AUDIO_FORMAT_U16; break;
2471                 case 3: vs->as.fmt = AUDIO_FORMAT_S16; break;
2472                 case 4: vs->as.fmt = AUDIO_FORMAT_U32; break;
2473                 case 5: vs->as.fmt = AUDIO_FORMAT_S32; break;
2474                 default:
2475                     VNC_DEBUG("Invalid audio format %d\n", read_u8(data, 4));
2476                     vnc_client_error(vs);
2477                     break;
2478                 }
2479                 vs->as.nchannels = read_u8(data, 5);
2480                 if (vs->as.nchannels != 1 && vs->as.nchannels != 2) {
2481                     VNC_DEBUG("Invalid audio channel count %d\n",
2482                               read_u8(data, 5));
2483                     vnc_client_error(vs);
2484                     break;
2485                 }
2486                 freq = read_u32(data, 6);
2487                 /* No official limit for protocol, but 48khz is a sensible
2488                  * upper bound for trustworthy clients, and this limit
2489                  * protects calculations involving 'vs->as.freq' later.
2490                  */
2491                 if (freq > 48000) {
2492                     VNC_DEBUG("Invalid audio frequency %u > 48000", freq);
2493                     vnc_client_error(vs);
2494                     break;
2495                 }
2496                 vs->as.freq = freq;
2497                 break;
2498             default:
2499                 VNC_DEBUG("Invalid audio message %d\n", read_u8(data, 4));
2500                 vnc_client_error(vs);
2501                 break;
2502             }
2503             break;
2504 
2505         default:
2506             VNC_DEBUG("Msg: %d\n", read_u16(data, 0));
2507             vnc_client_error(vs);
2508             break;
2509         }
2510         break;
2511     case VNC_MSG_CLIENT_SET_DESKTOP_SIZE:
2512     {
2513         size_t size;
2514         uint8_t screens;
2515 
2516         if (len < 8) {
2517             return 8;
2518         }
2519 
2520         screens = read_u8(data, 6);
2521         size    = 8 + screens * 16;
2522         if (len < size) {
2523             return size;
2524         }
2525 
2526         if (dpy_ui_info_supported(vs->vd->dcl.con)) {
2527             QemuUIInfo info;
2528             memset(&info, 0, sizeof(info));
2529             info.width = read_u16(data, 2);
2530             info.height = read_u16(data, 4);
2531             dpy_set_ui_info(vs->vd->dcl.con, &info);
2532             vnc_desktop_resize_ext(vs, 4 /* Request forwarded */);
2533         } else {
2534             vnc_desktop_resize_ext(vs, 3 /* Invalid screen layout */);
2535         }
2536 
2537         break;
2538     }
2539     default:
2540         VNC_DEBUG("Msg: %d\n", data[0]);
2541         vnc_client_error(vs);
2542         break;
2543     }
2544 
2545     vnc_update_throttle_offset(vs);
2546     vnc_read_when(vs, protocol_client_msg, 1);
2547     return 0;
2548 }
2549 
2550 static int protocol_client_init(VncState *vs, uint8_t *data, size_t len)
2551 {
2552     char buf[1024];
2553     VncShareMode mode;
2554     int size;
2555 
2556     mode = data[0] ? VNC_SHARE_MODE_SHARED : VNC_SHARE_MODE_EXCLUSIVE;
2557     switch (vs->vd->share_policy) {
2558     case VNC_SHARE_POLICY_IGNORE:
2559         /*
2560          * Ignore the shared flag.  Nothing to do here.
2561          *
2562          * Doesn't conform to the rfb spec but is traditional qemu
2563          * behavior, thus left here as option for compatibility
2564          * reasons.
2565          */
2566         break;
2567     case VNC_SHARE_POLICY_ALLOW_EXCLUSIVE:
2568         /*
2569          * Policy: Allow clients ask for exclusive access.
2570          *
2571          * Implementation: When a client asks for exclusive access,
2572          * disconnect all others. Shared connects are allowed as long
2573          * as no exclusive connection exists.
2574          *
2575          * This is how the rfb spec suggests to handle the shared flag.
2576          */
2577         if (mode == VNC_SHARE_MODE_EXCLUSIVE) {
2578             VncState *client;
2579             QTAILQ_FOREACH(client, &vs->vd->clients, next) {
2580                 if (vs == client) {
2581                     continue;
2582                 }
2583                 if (client->share_mode != VNC_SHARE_MODE_EXCLUSIVE &&
2584                     client->share_mode != VNC_SHARE_MODE_SHARED) {
2585                     continue;
2586                 }
2587                 vnc_disconnect_start(client);
2588             }
2589         }
2590         if (mode == VNC_SHARE_MODE_SHARED) {
2591             if (vs->vd->num_exclusive > 0) {
2592                 vnc_disconnect_start(vs);
2593                 return 0;
2594             }
2595         }
2596         break;
2597     case VNC_SHARE_POLICY_FORCE_SHARED:
2598         /*
2599          * Policy: Shared connects only.
2600          * Implementation: Disallow clients asking for exclusive access.
2601          *
2602          * Useful for shared desktop sessions where you don't want
2603          * someone forgetting to say -shared when running the vnc
2604          * client disconnect everybody else.
2605          */
2606         if (mode == VNC_SHARE_MODE_EXCLUSIVE) {
2607             vnc_disconnect_start(vs);
2608             return 0;
2609         }
2610         break;
2611     }
2612     vnc_set_share_mode(vs, mode);
2613 
2614     if (vs->vd->num_shared > vs->vd->connections_limit) {
2615         vnc_disconnect_start(vs);
2616         return 0;
2617     }
2618 
2619     assert(pixman_image_get_width(vs->vd->server) < 65536 &&
2620            pixman_image_get_width(vs->vd->server) >= 0);
2621     assert(pixman_image_get_height(vs->vd->server) < 65536 &&
2622            pixman_image_get_height(vs->vd->server) >= 0);
2623     vs->client_width = pixman_image_get_width(vs->vd->server);
2624     vs->client_height = pixman_image_get_height(vs->vd->server);
2625     vnc_write_u16(vs, vs->client_width);
2626     vnc_write_u16(vs, vs->client_height);
2627 
2628     pixel_format_message(vs);
2629 
2630     if (qemu_name) {
2631         size = snprintf(buf, sizeof(buf), "QEMU (%s)", qemu_name);
2632         if (size > sizeof(buf)) {
2633             size = sizeof(buf);
2634         }
2635     } else {
2636         size = snprintf(buf, sizeof(buf), "QEMU");
2637     }
2638 
2639     vnc_write_u32(vs, size);
2640     vnc_write(vs, buf, size);
2641     vnc_flush(vs);
2642 
2643     vnc_client_cache_auth(vs);
2644     vnc_qmp_event(vs, QAPI_EVENT_VNC_INITIALIZED);
2645 
2646     vnc_read_when(vs, protocol_client_msg, 1);
2647 
2648     return 0;
2649 }
2650 
2651 void start_client_init(VncState *vs)
2652 {
2653     vnc_read_when(vs, protocol_client_init, 1);
2654 }
2655 
2656 static void authentication_failed(VncState *vs)
2657 {
2658     vnc_write_u32(vs, 1); /* Reject auth */
2659     if (vs->minor >= 8) {
2660         static const char err[] = "Authentication failed";
2661         vnc_write_u32(vs, sizeof(err));
2662         vnc_write(vs, err, sizeof(err));
2663     }
2664     vnc_flush(vs);
2665     vnc_client_error(vs);
2666 }
2667 
2668 static int protocol_client_auth_vnc(VncState *vs, uint8_t *data, size_t len)
2669 {
2670     unsigned char response[VNC_AUTH_CHALLENGE_SIZE];
2671     size_t i, pwlen;
2672     unsigned char key[8];
2673     time_t now = time(NULL);
2674     QCryptoCipher *cipher = NULL;
2675     Error *err = NULL;
2676 
2677     if (!vs->vd->password) {
2678         trace_vnc_auth_fail(vs, vs->auth, "password is not set", "");
2679         goto reject;
2680     }
2681     if (vs->vd->expires < now) {
2682         trace_vnc_auth_fail(vs, vs->auth, "password is expired", "");
2683         goto reject;
2684     }
2685 
2686     memcpy(response, vs->challenge, VNC_AUTH_CHALLENGE_SIZE);
2687 
2688     /* Calculate the expected challenge response */
2689     pwlen = strlen(vs->vd->password);
2690     for (i=0; i<sizeof(key); i++)
2691         key[i] = i<pwlen ? vs->vd->password[i] : 0;
2692 
2693     cipher = qcrypto_cipher_new(
2694         QCRYPTO_CIPHER_ALG_DES_RFB,
2695         QCRYPTO_CIPHER_MODE_ECB,
2696         key, G_N_ELEMENTS(key),
2697         &err);
2698     if (!cipher) {
2699         trace_vnc_auth_fail(vs, vs->auth, "cannot create cipher",
2700                             error_get_pretty(err));
2701         error_free(err);
2702         goto reject;
2703     }
2704 
2705     if (qcrypto_cipher_encrypt(cipher,
2706                                vs->challenge,
2707                                response,
2708                                VNC_AUTH_CHALLENGE_SIZE,
2709                                &err) < 0) {
2710         trace_vnc_auth_fail(vs, vs->auth, "cannot encrypt challenge response",
2711                             error_get_pretty(err));
2712         error_free(err);
2713         goto reject;
2714     }
2715 
2716     /* Compare expected vs actual challenge response */
2717     if (memcmp(response, data, VNC_AUTH_CHALLENGE_SIZE) != 0) {
2718         trace_vnc_auth_fail(vs, vs->auth, "mis-matched challenge response", "");
2719         goto reject;
2720     } else {
2721         trace_vnc_auth_pass(vs, vs->auth);
2722         vnc_write_u32(vs, 0); /* Accept auth */
2723         vnc_flush(vs);
2724 
2725         start_client_init(vs);
2726     }
2727 
2728     qcrypto_cipher_free(cipher);
2729     return 0;
2730 
2731 reject:
2732     authentication_failed(vs);
2733     qcrypto_cipher_free(cipher);
2734     return 0;
2735 }
2736 
2737 void start_auth_vnc(VncState *vs)
2738 {
2739     Error *err = NULL;
2740 
2741     if (qcrypto_random_bytes(vs->challenge, sizeof(vs->challenge), &err)) {
2742         trace_vnc_auth_fail(vs, vs->auth, "cannot get random bytes",
2743                             error_get_pretty(err));
2744         error_free(err);
2745         authentication_failed(vs);
2746         return;
2747     }
2748 
2749     /* Send client a 'random' challenge */
2750     vnc_write(vs, vs->challenge, sizeof(vs->challenge));
2751     vnc_flush(vs);
2752 
2753     vnc_read_when(vs, protocol_client_auth_vnc, sizeof(vs->challenge));
2754 }
2755 
2756 
2757 static int protocol_client_auth(VncState *vs, uint8_t *data, size_t len)
2758 {
2759     /* We only advertise 1 auth scheme at a time, so client
2760      * must pick the one we sent. Verify this */
2761     if (data[0] != vs->auth) { /* Reject auth */
2762        trace_vnc_auth_reject(vs, vs->auth, (int)data[0]);
2763        authentication_failed(vs);
2764     } else { /* Accept requested auth */
2765        trace_vnc_auth_start(vs, vs->auth);
2766        switch (vs->auth) {
2767        case VNC_AUTH_NONE:
2768            if (vs->minor >= 8) {
2769                vnc_write_u32(vs, 0); /* Accept auth completion */
2770                vnc_flush(vs);
2771            }
2772            trace_vnc_auth_pass(vs, vs->auth);
2773            start_client_init(vs);
2774            break;
2775 
2776        case VNC_AUTH_VNC:
2777            start_auth_vnc(vs);
2778            break;
2779 
2780        case VNC_AUTH_VENCRYPT:
2781            start_auth_vencrypt(vs);
2782            break;
2783 
2784 #ifdef CONFIG_VNC_SASL
2785        case VNC_AUTH_SASL:
2786            start_auth_sasl(vs);
2787            break;
2788 #endif /* CONFIG_VNC_SASL */
2789 
2790        default: /* Should not be possible, but just in case */
2791            trace_vnc_auth_fail(vs, vs->auth, "Unhandled auth method", "");
2792            authentication_failed(vs);
2793        }
2794     }
2795     return 0;
2796 }
2797 
2798 static int protocol_version(VncState *vs, uint8_t *version, size_t len)
2799 {
2800     char local[13];
2801 
2802     memcpy(local, version, 12);
2803     local[12] = 0;
2804 
2805     if (sscanf(local, "RFB %03d.%03d\n", &vs->major, &vs->minor) != 2) {
2806         VNC_DEBUG("Malformed protocol version %s\n", local);
2807         vnc_client_error(vs);
2808         return 0;
2809     }
2810     VNC_DEBUG("Client request protocol version %d.%d\n", vs->major, vs->minor);
2811     if (vs->major != 3 ||
2812         (vs->minor != 3 &&
2813          vs->minor != 4 &&
2814          vs->minor != 5 &&
2815          vs->minor != 7 &&
2816          vs->minor != 8)) {
2817         VNC_DEBUG("Unsupported client version\n");
2818         vnc_write_u32(vs, VNC_AUTH_INVALID);
2819         vnc_flush(vs);
2820         vnc_client_error(vs);
2821         return 0;
2822     }
2823     /* Some broken clients report v3.4 or v3.5, which spec requires to be treated
2824      * as equivalent to v3.3 by servers
2825      */
2826     if (vs->minor == 4 || vs->minor == 5)
2827         vs->minor = 3;
2828 
2829     if (vs->minor == 3) {
2830         trace_vnc_auth_start(vs, vs->auth);
2831         if (vs->auth == VNC_AUTH_NONE) {
2832             vnc_write_u32(vs, vs->auth);
2833             vnc_flush(vs);
2834             trace_vnc_auth_pass(vs, vs->auth);
2835             start_client_init(vs);
2836        } else if (vs->auth == VNC_AUTH_VNC) {
2837             VNC_DEBUG("Tell client VNC auth\n");
2838             vnc_write_u32(vs, vs->auth);
2839             vnc_flush(vs);
2840             start_auth_vnc(vs);
2841        } else {
2842             trace_vnc_auth_fail(vs, vs->auth,
2843                                 "Unsupported auth method for v3.3", "");
2844             vnc_write_u32(vs, VNC_AUTH_INVALID);
2845             vnc_flush(vs);
2846             vnc_client_error(vs);
2847        }
2848     } else {
2849         vnc_write_u8(vs, 1); /* num auth */
2850         vnc_write_u8(vs, vs->auth);
2851         vnc_read_when(vs, protocol_client_auth, 1);
2852         vnc_flush(vs);
2853     }
2854 
2855     return 0;
2856 }
2857 
2858 static VncRectStat *vnc_stat_rect(VncDisplay *vd, int x, int y)
2859 {
2860     struct VncSurface *vs = &vd->guest;
2861 
2862     return &vs->stats[y / VNC_STAT_RECT][x / VNC_STAT_RECT];
2863 }
2864 
2865 void vnc_sent_lossy_rect(VncState *vs, int x, int y, int w, int h)
2866 {
2867     int i, j;
2868 
2869     w = (x + w) / VNC_STAT_RECT;
2870     h = (y + h) / VNC_STAT_RECT;
2871     x /= VNC_STAT_RECT;
2872     y /= VNC_STAT_RECT;
2873 
2874     for (j = y; j <= h; j++) {
2875         for (i = x; i <= w; i++) {
2876             vs->lossy_rect[j][i] = 1;
2877         }
2878     }
2879 }
2880 
2881 static int vnc_refresh_lossy_rect(VncDisplay *vd, int x, int y)
2882 {
2883     VncState *vs;
2884     int sty = y / VNC_STAT_RECT;
2885     int stx = x / VNC_STAT_RECT;
2886     int has_dirty = 0;
2887 
2888     y = QEMU_ALIGN_DOWN(y, VNC_STAT_RECT);
2889     x = QEMU_ALIGN_DOWN(x, VNC_STAT_RECT);
2890 
2891     QTAILQ_FOREACH(vs, &vd->clients, next) {
2892         int j;
2893 
2894         /* kernel send buffers are full -> refresh later */
2895         if (vs->output.offset) {
2896             continue;
2897         }
2898 
2899         if (!vs->lossy_rect[sty][stx]) {
2900             continue;
2901         }
2902 
2903         vs->lossy_rect[sty][stx] = 0;
2904         for (j = 0; j < VNC_STAT_RECT; ++j) {
2905             bitmap_set(vs->dirty[y + j],
2906                        x / VNC_DIRTY_PIXELS_PER_BIT,
2907                        VNC_STAT_RECT / VNC_DIRTY_PIXELS_PER_BIT);
2908         }
2909         has_dirty++;
2910     }
2911 
2912     return has_dirty;
2913 }
2914 
2915 static int vnc_update_stats(VncDisplay *vd,  struct timeval * tv)
2916 {
2917     int width = MIN(pixman_image_get_width(vd->guest.fb),
2918                     pixman_image_get_width(vd->server));
2919     int height = MIN(pixman_image_get_height(vd->guest.fb),
2920                      pixman_image_get_height(vd->server));
2921     int x, y;
2922     struct timeval res;
2923     int has_dirty = 0;
2924 
2925     for (y = 0; y < height; y += VNC_STAT_RECT) {
2926         for (x = 0; x < width; x += VNC_STAT_RECT) {
2927             VncRectStat *rect = vnc_stat_rect(vd, x, y);
2928 
2929             rect->updated = false;
2930         }
2931     }
2932 
2933     qemu_timersub(tv, &VNC_REFRESH_STATS, &res);
2934 
2935     if (timercmp(&vd->guest.last_freq_check, &res, >)) {
2936         return has_dirty;
2937     }
2938     vd->guest.last_freq_check = *tv;
2939 
2940     for (y = 0; y < height; y += VNC_STAT_RECT) {
2941         for (x = 0; x < width; x += VNC_STAT_RECT) {
2942             VncRectStat *rect= vnc_stat_rect(vd, x, y);
2943             int count = ARRAY_SIZE(rect->times);
2944             struct timeval min, max;
2945 
2946             if (!timerisset(&rect->times[count - 1])) {
2947                 continue ;
2948             }
2949 
2950             max = rect->times[(rect->idx + count - 1) % count];
2951             qemu_timersub(tv, &max, &res);
2952 
2953             if (timercmp(&res, &VNC_REFRESH_LOSSY, >)) {
2954                 rect->freq = 0;
2955                 has_dirty += vnc_refresh_lossy_rect(vd, x, y);
2956                 memset(rect->times, 0, sizeof (rect->times));
2957                 continue ;
2958             }
2959 
2960             min = rect->times[rect->idx];
2961             max = rect->times[(rect->idx + count - 1) % count];
2962             qemu_timersub(&max, &min, &res);
2963 
2964             rect->freq = res.tv_sec + res.tv_usec / 1000000.;
2965             rect->freq /= count;
2966             rect->freq = 1. / rect->freq;
2967         }
2968     }
2969     return has_dirty;
2970 }
2971 
2972 double vnc_update_freq(VncState *vs, int x, int y, int w, int h)
2973 {
2974     int i, j;
2975     double total = 0;
2976     int num = 0;
2977 
2978     x =  QEMU_ALIGN_DOWN(x, VNC_STAT_RECT);
2979     y =  QEMU_ALIGN_DOWN(y, VNC_STAT_RECT);
2980 
2981     for (j = y; j <= y + h; j += VNC_STAT_RECT) {
2982         for (i = x; i <= x + w; i += VNC_STAT_RECT) {
2983             total += vnc_stat_rect(vs->vd, i, j)->freq;
2984             num++;
2985         }
2986     }
2987 
2988     if (num) {
2989         return total / num;
2990     } else {
2991         return 0;
2992     }
2993 }
2994 
2995 static void vnc_rect_updated(VncDisplay *vd, int x, int y, struct timeval * tv)
2996 {
2997     VncRectStat *rect;
2998 
2999     rect = vnc_stat_rect(vd, x, y);
3000     if (rect->updated) {
3001         return ;
3002     }
3003     rect->times[rect->idx] = *tv;
3004     rect->idx = (rect->idx + 1) % ARRAY_SIZE(rect->times);
3005     rect->updated = true;
3006 }
3007 
3008 static int vnc_refresh_server_surface(VncDisplay *vd)
3009 {
3010     int width = MIN(pixman_image_get_width(vd->guest.fb),
3011                     pixman_image_get_width(vd->server));
3012     int height = MIN(pixman_image_get_height(vd->guest.fb),
3013                      pixman_image_get_height(vd->server));
3014     int cmp_bytes, server_stride, line_bytes, guest_ll, guest_stride, y = 0;
3015     uint8_t *guest_row0 = NULL, *server_row0;
3016     VncState *vs;
3017     int has_dirty = 0;
3018     pixman_image_t *tmpbuf = NULL;
3019 
3020     struct timeval tv = { 0, 0 };
3021 
3022     if (!vd->non_adaptive) {
3023         gettimeofday(&tv, NULL);
3024         has_dirty = vnc_update_stats(vd, &tv);
3025     }
3026 
3027     /*
3028      * Walk through the guest dirty map.
3029      * Check and copy modified bits from guest to server surface.
3030      * Update server dirty map.
3031      */
3032     server_row0 = (uint8_t *)pixman_image_get_data(vd->server);
3033     server_stride = guest_stride = guest_ll =
3034         pixman_image_get_stride(vd->server);
3035     cmp_bytes = MIN(VNC_DIRTY_PIXELS_PER_BIT * VNC_SERVER_FB_BYTES,
3036                     server_stride);
3037     if (vd->guest.format != VNC_SERVER_FB_FORMAT) {
3038         int width = pixman_image_get_width(vd->server);
3039         tmpbuf = qemu_pixman_linebuf_create(VNC_SERVER_FB_FORMAT, width);
3040     } else {
3041         int guest_bpp =
3042             PIXMAN_FORMAT_BPP(pixman_image_get_format(vd->guest.fb));
3043         guest_row0 = (uint8_t *)pixman_image_get_data(vd->guest.fb);
3044         guest_stride = pixman_image_get_stride(vd->guest.fb);
3045         guest_ll = pixman_image_get_width(vd->guest.fb)
3046                    * DIV_ROUND_UP(guest_bpp, 8);
3047     }
3048     line_bytes = MIN(server_stride, guest_ll);
3049 
3050     for (;;) {
3051         int x;
3052         uint8_t *guest_ptr, *server_ptr;
3053         unsigned long offset = find_next_bit((unsigned long *) &vd->guest.dirty,
3054                                              height * VNC_DIRTY_BPL(&vd->guest),
3055                                              y * VNC_DIRTY_BPL(&vd->guest));
3056         if (offset == height * VNC_DIRTY_BPL(&vd->guest)) {
3057             /* no more dirty bits */
3058             break;
3059         }
3060         y = offset / VNC_DIRTY_BPL(&vd->guest);
3061         x = offset % VNC_DIRTY_BPL(&vd->guest);
3062 
3063         server_ptr = server_row0 + y * server_stride + x * cmp_bytes;
3064 
3065         if (vd->guest.format != VNC_SERVER_FB_FORMAT) {
3066             qemu_pixman_linebuf_fill(tmpbuf, vd->guest.fb, width, 0, y);
3067             guest_ptr = (uint8_t *)pixman_image_get_data(tmpbuf);
3068         } else {
3069             guest_ptr = guest_row0 + y * guest_stride;
3070         }
3071         guest_ptr += x * cmp_bytes;
3072 
3073         for (; x < DIV_ROUND_UP(width, VNC_DIRTY_PIXELS_PER_BIT);
3074              x++, guest_ptr += cmp_bytes, server_ptr += cmp_bytes) {
3075             int _cmp_bytes = cmp_bytes;
3076             if (!test_and_clear_bit(x, vd->guest.dirty[y])) {
3077                 continue;
3078             }
3079             if ((x + 1) * cmp_bytes > line_bytes) {
3080                 _cmp_bytes = line_bytes - x * cmp_bytes;
3081             }
3082             assert(_cmp_bytes >= 0);
3083             if (memcmp(server_ptr, guest_ptr, _cmp_bytes) == 0) {
3084                 continue;
3085             }
3086             memcpy(server_ptr, guest_ptr, _cmp_bytes);
3087             if (!vd->non_adaptive) {
3088                 vnc_rect_updated(vd, x * VNC_DIRTY_PIXELS_PER_BIT,
3089                                  y, &tv);
3090             }
3091             QTAILQ_FOREACH(vs, &vd->clients, next) {
3092                 set_bit(x, vs->dirty[y]);
3093             }
3094             has_dirty++;
3095         }
3096 
3097         y++;
3098     }
3099     qemu_pixman_image_unref(tmpbuf);
3100     return has_dirty;
3101 }
3102 
3103 static void vnc_refresh(DisplayChangeListener *dcl)
3104 {
3105     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
3106     VncState *vs, *vn;
3107     int has_dirty, rects = 0;
3108 
3109     if (QTAILQ_EMPTY(&vd->clients)) {
3110         update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_MAX);
3111         return;
3112     }
3113 
3114     graphic_hw_update(vd->dcl.con);
3115 
3116     if (vnc_trylock_display(vd)) {
3117         update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
3118         return;
3119     }
3120 
3121     has_dirty = vnc_refresh_server_surface(vd);
3122     vnc_unlock_display(vd);
3123 
3124     QTAILQ_FOREACH_SAFE(vs, &vd->clients, next, vn) {
3125         rects += vnc_update_client(vs, has_dirty);
3126         /* vs might be free()ed here */
3127     }
3128 
3129     if (has_dirty && rects) {
3130         vd->dcl.update_interval /= 2;
3131         if (vd->dcl.update_interval < VNC_REFRESH_INTERVAL_BASE) {
3132             vd->dcl.update_interval = VNC_REFRESH_INTERVAL_BASE;
3133         }
3134     } else {
3135         vd->dcl.update_interval += VNC_REFRESH_INTERVAL_INC;
3136         if (vd->dcl.update_interval > VNC_REFRESH_INTERVAL_MAX) {
3137             vd->dcl.update_interval = VNC_REFRESH_INTERVAL_MAX;
3138         }
3139     }
3140 }
3141 
3142 static void vnc_connect(VncDisplay *vd, QIOChannelSocket *sioc,
3143                         bool skipauth, bool websocket)
3144 {
3145     VncState *vs = g_new0(VncState, 1);
3146     bool first_client = QTAILQ_EMPTY(&vd->clients);
3147     int i;
3148 
3149     trace_vnc_client_connect(vs, sioc);
3150     vs->zrle = g_new0(VncZrle, 1);
3151     vs->tight = g_new0(VncTight, 1);
3152     vs->magic = VNC_MAGIC;
3153     vs->sioc = sioc;
3154     object_ref(OBJECT(vs->sioc));
3155     vs->ioc = QIO_CHANNEL(sioc);
3156     object_ref(OBJECT(vs->ioc));
3157     vs->vd = vd;
3158 
3159     buffer_init(&vs->input,          "vnc-input/%p", sioc);
3160     buffer_init(&vs->output,         "vnc-output/%p", sioc);
3161     buffer_init(&vs->jobs_buffer,    "vnc-jobs_buffer/%p", sioc);
3162 
3163     buffer_init(&vs->tight->tight,    "vnc-tight/%p", sioc);
3164     buffer_init(&vs->tight->zlib,     "vnc-tight-zlib/%p", sioc);
3165     buffer_init(&vs->tight->gradient, "vnc-tight-gradient/%p", sioc);
3166 #ifdef CONFIG_VNC_JPEG
3167     buffer_init(&vs->tight->jpeg,     "vnc-tight-jpeg/%p", sioc);
3168 #endif
3169 #ifdef CONFIG_VNC_PNG
3170     buffer_init(&vs->tight->png,      "vnc-tight-png/%p", sioc);
3171 #endif
3172     buffer_init(&vs->zlib.zlib,      "vnc-zlib/%p", sioc);
3173     buffer_init(&vs->zrle->zrle,      "vnc-zrle/%p", sioc);
3174     buffer_init(&vs->zrle->fb,        "vnc-zrle-fb/%p", sioc);
3175     buffer_init(&vs->zrle->zlib,      "vnc-zrle-zlib/%p", sioc);
3176 
3177     if (skipauth) {
3178         vs->auth = VNC_AUTH_NONE;
3179         vs->subauth = VNC_AUTH_INVALID;
3180     } else {
3181         if (websocket) {
3182             vs->auth = vd->ws_auth;
3183             vs->subauth = VNC_AUTH_INVALID;
3184         } else {
3185             vs->auth = vd->auth;
3186             vs->subauth = vd->subauth;
3187         }
3188     }
3189     VNC_DEBUG("Client sioc=%p ws=%d auth=%d subauth=%d\n",
3190               sioc, websocket, vs->auth, vs->subauth);
3191 
3192     vs->lossy_rect = g_malloc0(VNC_STAT_ROWS * sizeof (*vs->lossy_rect));
3193     for (i = 0; i < VNC_STAT_ROWS; ++i) {
3194         vs->lossy_rect[i] = g_new0(uint8_t, VNC_STAT_COLS);
3195     }
3196 
3197     VNC_DEBUG("New client on socket %p\n", vs->sioc);
3198     update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
3199     qio_channel_set_blocking(vs->ioc, false, NULL);
3200     if (vs->ioc_tag) {
3201         g_source_remove(vs->ioc_tag);
3202     }
3203     if (websocket) {
3204         vs->websocket = 1;
3205         if (vd->tlscreds) {
3206             vs->ioc_tag = qio_channel_add_watch(
3207                 vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR,
3208                 vncws_tls_handshake_io, vs, NULL);
3209         } else {
3210             vs->ioc_tag = qio_channel_add_watch(
3211                 vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR,
3212                 vncws_handshake_io, vs, NULL);
3213         }
3214     } else {
3215         vs->ioc_tag = qio_channel_add_watch(
3216             vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR,
3217             vnc_client_io, vs, NULL);
3218     }
3219 
3220     vnc_client_cache_addr(vs);
3221     vnc_qmp_event(vs, QAPI_EVENT_VNC_CONNECTED);
3222     vnc_set_share_mode(vs, VNC_SHARE_MODE_CONNECTING);
3223 
3224     vs->last_x = -1;
3225     vs->last_y = -1;
3226 
3227     vs->as.freq = 44100;
3228     vs->as.nchannels = 2;
3229     vs->as.fmt = AUDIO_FORMAT_S16;
3230     vs->as.endianness = 0;
3231 
3232     qemu_mutex_init(&vs->output_mutex);
3233     vs->bh = qemu_bh_new(vnc_jobs_bh, vs);
3234 
3235     QTAILQ_INSERT_TAIL(&vd->clients, vs, next);
3236     if (first_client) {
3237         vnc_update_server_surface(vd);
3238     }
3239 
3240     graphic_hw_update(vd->dcl.con);
3241 
3242     if (!vs->websocket) {
3243         vnc_start_protocol(vs);
3244     }
3245 
3246     if (vd->num_connecting > vd->connections_limit) {
3247         QTAILQ_FOREACH(vs, &vd->clients, next) {
3248             if (vs->share_mode == VNC_SHARE_MODE_CONNECTING) {
3249                 vnc_disconnect_start(vs);
3250                 return;
3251             }
3252         }
3253     }
3254 }
3255 
3256 void vnc_start_protocol(VncState *vs)
3257 {
3258     vnc_write(vs, "RFB 003.008\n", 12);
3259     vnc_flush(vs);
3260     vnc_read_when(vs, protocol_version, 12);
3261 
3262     vs->mouse_mode_notifier.notify = check_pointer_type_change;
3263     qemu_add_mouse_mode_change_notifier(&vs->mouse_mode_notifier);
3264 }
3265 
3266 static void vnc_listen_io(QIONetListener *listener,
3267                           QIOChannelSocket *cioc,
3268                           void *opaque)
3269 {
3270     VncDisplay *vd = opaque;
3271     bool isWebsock = listener == vd->wslistener;
3272 
3273     qio_channel_set_name(QIO_CHANNEL(cioc),
3274                          isWebsock ? "vnc-ws-server" : "vnc-server");
3275     qio_channel_set_delay(QIO_CHANNEL(cioc), false);
3276     vnc_connect(vd, cioc, false, isWebsock);
3277 }
3278 
3279 static const DisplayChangeListenerOps dcl_ops = {
3280     .dpy_name             = "vnc",
3281     .dpy_refresh          = vnc_refresh,
3282     .dpy_gfx_update       = vnc_dpy_update,
3283     .dpy_gfx_switch       = vnc_dpy_switch,
3284     .dpy_gfx_check_format = qemu_pixman_check_format,
3285     .dpy_mouse_set        = vnc_mouse_set,
3286     .dpy_cursor_define    = vnc_dpy_cursor_define,
3287 };
3288 
3289 void vnc_display_init(const char *id, Error **errp)
3290 {
3291     VncDisplay *vd;
3292 
3293     if (vnc_display_find(id) != NULL) {
3294         return;
3295     }
3296     vd = g_malloc0(sizeof(*vd));
3297 
3298     vd->id = strdup(id);
3299     QTAILQ_INSERT_TAIL(&vnc_displays, vd, next);
3300 
3301     QTAILQ_INIT(&vd->clients);
3302     vd->expires = TIME_MAX;
3303 
3304     if (keyboard_layout) {
3305         trace_vnc_key_map_init(keyboard_layout);
3306         vd->kbd_layout = init_keyboard_layout(name2keysym,
3307                                               keyboard_layout, errp);
3308     } else {
3309         vd->kbd_layout = init_keyboard_layout(name2keysym, "en-us", errp);
3310     }
3311 
3312     if (!vd->kbd_layout) {
3313         return;
3314     }
3315 
3316     vd->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
3317     vd->connections_limit = 32;
3318 
3319     qemu_mutex_init(&vd->mutex);
3320     vnc_start_worker_thread();
3321 
3322     vd->dcl.ops = &dcl_ops;
3323     register_displaychangelistener(&vd->dcl);
3324     vd->kbd = qkbd_state_init(vd->dcl.con);
3325 }
3326 
3327 
3328 static void vnc_display_close(VncDisplay *vd)
3329 {
3330     if (!vd) {
3331         return;
3332     }
3333     vd->is_unix = false;
3334 
3335     if (vd->listener) {
3336         qio_net_listener_disconnect(vd->listener);
3337         object_unref(OBJECT(vd->listener));
3338     }
3339     vd->listener = NULL;
3340 
3341     if (vd->wslistener) {
3342         qio_net_listener_disconnect(vd->wslistener);
3343         object_unref(OBJECT(vd->wslistener));
3344     }
3345     vd->wslistener = NULL;
3346 
3347     vd->auth = VNC_AUTH_INVALID;
3348     vd->subauth = VNC_AUTH_INVALID;
3349     if (vd->tlscreds) {
3350         object_unref(OBJECT(vd->tlscreds));
3351         vd->tlscreds = NULL;
3352     }
3353     if (vd->tlsauthz) {
3354         object_unparent(OBJECT(vd->tlsauthz));
3355         vd->tlsauthz = NULL;
3356     }
3357     g_free(vd->tlsauthzid);
3358     vd->tlsauthzid = NULL;
3359     if (vd->lock_key_sync) {
3360         qemu_remove_led_event_handler(vd->led);
3361         vd->led = NULL;
3362     }
3363 #ifdef CONFIG_VNC_SASL
3364     if (vd->sasl.authz) {
3365         object_unparent(OBJECT(vd->sasl.authz));
3366         vd->sasl.authz = NULL;
3367     }
3368     g_free(vd->sasl.authzid);
3369     vd->sasl.authzid = NULL;
3370 #endif
3371 }
3372 
3373 int vnc_display_password(const char *id, const char *password)
3374 {
3375     VncDisplay *vd = vnc_display_find(id);
3376 
3377     if (!vd) {
3378         return -EINVAL;
3379     }
3380     if (vd->auth == VNC_AUTH_NONE) {
3381         error_printf_unless_qmp("If you want use passwords please enable "
3382                                 "password auth using '-vnc ${dpy},password'.\n");
3383         return -EINVAL;
3384     }
3385 
3386     g_free(vd->password);
3387     vd->password = g_strdup(password);
3388 
3389     return 0;
3390 }
3391 
3392 int vnc_display_pw_expire(const char *id, time_t expires)
3393 {
3394     VncDisplay *vd = vnc_display_find(id);
3395 
3396     if (!vd) {
3397         return -EINVAL;
3398     }
3399 
3400     vd->expires = expires;
3401     return 0;
3402 }
3403 
3404 static void vnc_display_print_local_addr(VncDisplay *vd)
3405 {
3406     SocketAddress *addr;
3407 
3408     if (!vd->listener || !vd->listener->nsioc) {
3409         return;
3410     }
3411 
3412     addr = qio_channel_socket_get_local_address(vd->listener->sioc[0], NULL);
3413     if (!addr) {
3414         return;
3415     }
3416 
3417     if (addr->type != SOCKET_ADDRESS_TYPE_INET) {
3418         qapi_free_SocketAddress(addr);
3419         return;
3420     }
3421     error_printf_unless_qmp("VNC server running on %s:%s\n",
3422                             addr->u.inet.host,
3423                             addr->u.inet.port);
3424     qapi_free_SocketAddress(addr);
3425 }
3426 
3427 static QemuOptsList qemu_vnc_opts = {
3428     .name = "vnc",
3429     .head = QTAILQ_HEAD_INITIALIZER(qemu_vnc_opts.head),
3430     .implied_opt_name = "vnc",
3431     .desc = {
3432         {
3433             .name = "vnc",
3434             .type = QEMU_OPT_STRING,
3435         },{
3436             .name = "websocket",
3437             .type = QEMU_OPT_STRING,
3438         },{
3439             .name = "tls-creds",
3440             .type = QEMU_OPT_STRING,
3441         },{
3442             .name = "share",
3443             .type = QEMU_OPT_STRING,
3444         },{
3445             .name = "display",
3446             .type = QEMU_OPT_STRING,
3447         },{
3448             .name = "head",
3449             .type = QEMU_OPT_NUMBER,
3450         },{
3451             .name = "connections",
3452             .type = QEMU_OPT_NUMBER,
3453         },{
3454             .name = "to",
3455             .type = QEMU_OPT_NUMBER,
3456         },{
3457             .name = "ipv4",
3458             .type = QEMU_OPT_BOOL,
3459         },{
3460             .name = "ipv6",
3461             .type = QEMU_OPT_BOOL,
3462         },{
3463             .name = "password",
3464             .type = QEMU_OPT_BOOL,
3465         },{
3466             .name = "reverse",
3467             .type = QEMU_OPT_BOOL,
3468         },{
3469             .name = "lock-key-sync",
3470             .type = QEMU_OPT_BOOL,
3471         },{
3472             .name = "key-delay-ms",
3473             .type = QEMU_OPT_NUMBER,
3474         },{
3475             .name = "sasl",
3476             .type = QEMU_OPT_BOOL,
3477         },{
3478             .name = "acl",
3479             .type = QEMU_OPT_BOOL,
3480         },{
3481             .name = "tls-authz",
3482             .type = QEMU_OPT_STRING,
3483         },{
3484             .name = "sasl-authz",
3485             .type = QEMU_OPT_STRING,
3486         },{
3487             .name = "lossy",
3488             .type = QEMU_OPT_BOOL,
3489         },{
3490             .name = "non-adaptive",
3491             .type = QEMU_OPT_BOOL,
3492         },{
3493             .name = "audiodev",
3494             .type = QEMU_OPT_STRING,
3495         },{
3496             .name = "power-control",
3497             .type = QEMU_OPT_BOOL,
3498         },
3499         { /* end of list */ }
3500     },
3501 };
3502 
3503 
3504 static int
3505 vnc_display_setup_auth(int *auth,
3506                        int *subauth,
3507                        QCryptoTLSCreds *tlscreds,
3508                        bool password,
3509                        bool sasl,
3510                        bool websocket,
3511                        Error **errp)
3512 {
3513     /*
3514      * We have a choice of 3 authentication options
3515      *
3516      *   1. none
3517      *   2. vnc
3518      *   3. sasl
3519      *
3520      * The channel can be run in 2 modes
3521      *
3522      *   1. clear
3523      *   2. tls
3524      *
3525      * And TLS can use 2 types of credentials
3526      *
3527      *   1. anon
3528      *   2. x509
3529      *
3530      * We thus have 9 possible logical combinations
3531      *
3532      *   1. clear + none
3533      *   2. clear + vnc
3534      *   3. clear + sasl
3535      *   4. tls + anon + none
3536      *   5. tls + anon + vnc
3537      *   6. tls + anon + sasl
3538      *   7. tls + x509 + none
3539      *   8. tls + x509 + vnc
3540      *   9. tls + x509 + sasl
3541      *
3542      * These need to be mapped into the VNC auth schemes
3543      * in an appropriate manner. In regular VNC, all the
3544      * TLS options get mapped into VNC_AUTH_VENCRYPT
3545      * sub-auth types.
3546      *
3547      * In websockets, the https:// protocol already provides
3548      * TLS support, so there is no need to make use of the
3549      * VeNCrypt extension. Furthermore, websockets browser
3550      * clients could not use VeNCrypt even if they wanted to,
3551      * as they cannot control when the TLS handshake takes
3552      * place. Thus there is no option but to rely on https://,
3553      * meaning combinations 4->6 and 7->9 will be mapped to
3554      * VNC auth schemes in the same way as combos 1->3.
3555      *
3556      * Regardless of fact that we have a different mapping to
3557      * VNC auth mechs for plain VNC vs websockets VNC, the end
3558      * result has the same security characteristics.
3559      */
3560     if (websocket || !tlscreds) {
3561         if (password) {
3562             VNC_DEBUG("Initializing VNC server with password auth\n");
3563             *auth = VNC_AUTH_VNC;
3564         } else if (sasl) {
3565             VNC_DEBUG("Initializing VNC server with SASL auth\n");
3566             *auth = VNC_AUTH_SASL;
3567         } else {
3568             VNC_DEBUG("Initializing VNC server with no auth\n");
3569             *auth = VNC_AUTH_NONE;
3570         }
3571         *subauth = VNC_AUTH_INVALID;
3572     } else {
3573         bool is_x509 = object_dynamic_cast(OBJECT(tlscreds),
3574                                            TYPE_QCRYPTO_TLS_CREDS_X509) != NULL;
3575         bool is_anon = object_dynamic_cast(OBJECT(tlscreds),
3576                                            TYPE_QCRYPTO_TLS_CREDS_ANON) != NULL;
3577 
3578         if (!is_x509 && !is_anon) {
3579             error_setg(errp,
3580                        "Unsupported TLS cred type %s",
3581                        object_get_typename(OBJECT(tlscreds)));
3582             return -1;
3583         }
3584         *auth = VNC_AUTH_VENCRYPT;
3585         if (password) {
3586             if (is_x509) {
3587                 VNC_DEBUG("Initializing VNC server with x509 password auth\n");
3588                 *subauth = VNC_AUTH_VENCRYPT_X509VNC;
3589             } else {
3590                 VNC_DEBUG("Initializing VNC server with TLS password auth\n");
3591                 *subauth = VNC_AUTH_VENCRYPT_TLSVNC;
3592             }
3593 
3594         } else if (sasl) {
3595             if (is_x509) {
3596                 VNC_DEBUG("Initializing VNC server with x509 SASL auth\n");
3597                 *subauth = VNC_AUTH_VENCRYPT_X509SASL;
3598             } else {
3599                 VNC_DEBUG("Initializing VNC server with TLS SASL auth\n");
3600                 *subauth = VNC_AUTH_VENCRYPT_TLSSASL;
3601             }
3602         } else {
3603             if (is_x509) {
3604                 VNC_DEBUG("Initializing VNC server with x509 no auth\n");
3605                 *subauth = VNC_AUTH_VENCRYPT_X509NONE;
3606             } else {
3607                 VNC_DEBUG("Initializing VNC server with TLS no auth\n");
3608                 *subauth = VNC_AUTH_VENCRYPT_TLSNONE;
3609             }
3610         }
3611     }
3612     return 0;
3613 }
3614 
3615 
3616 static int vnc_display_get_address(const char *addrstr,
3617                                    bool websocket,
3618                                    bool reverse,
3619                                    int displaynum,
3620                                    int to,
3621                                    bool has_ipv4,
3622                                    bool has_ipv6,
3623                                    bool ipv4,
3624                                    bool ipv6,
3625                                    SocketAddress **retaddr,
3626                                    Error **errp)
3627 {
3628     int ret = -1;
3629     SocketAddress *addr = NULL;
3630 
3631     addr = g_new0(SocketAddress, 1);
3632 
3633     if (strncmp(addrstr, "unix:", 5) == 0) {
3634         addr->type = SOCKET_ADDRESS_TYPE_UNIX;
3635         addr->u.q_unix.path = g_strdup(addrstr + 5);
3636 
3637         if (websocket) {
3638             error_setg(errp, "UNIX sockets not supported with websock");
3639             goto cleanup;
3640         }
3641 
3642         if (to) {
3643             error_setg(errp, "Port range not support with UNIX socket");
3644             goto cleanup;
3645         }
3646         ret = 0;
3647     } else {
3648         const char *port;
3649         size_t hostlen;
3650         unsigned long long baseport = 0;
3651         InetSocketAddress *inet;
3652 
3653         port = strrchr(addrstr, ':');
3654         if (!port) {
3655             if (websocket) {
3656                 hostlen = 0;
3657                 port = addrstr;
3658             } else {
3659                 error_setg(errp, "no vnc port specified");
3660                 goto cleanup;
3661             }
3662         } else {
3663             hostlen = port - addrstr;
3664             port++;
3665             if (*port == '\0') {
3666                 error_setg(errp, "vnc port cannot be empty");
3667                 goto cleanup;
3668             }
3669         }
3670 
3671         addr->type = SOCKET_ADDRESS_TYPE_INET;
3672         inet = &addr->u.inet;
3673         if (addrstr[0] == '[' && addrstr[hostlen - 1] == ']') {
3674             inet->host = g_strndup(addrstr + 1, hostlen - 2);
3675         } else {
3676             inet->host = g_strndup(addrstr, hostlen);
3677         }
3678         /* plain VNC port is just an offset, for websocket
3679          * port is absolute */
3680         if (websocket) {
3681             if (g_str_equal(addrstr, "") ||
3682                 g_str_equal(addrstr, "on")) {
3683                 if (displaynum == -1) {
3684                     error_setg(errp, "explicit websocket port is required");
3685                     goto cleanup;
3686                 }
3687                 inet->port = g_strdup_printf(
3688                     "%d", displaynum + 5700);
3689                 if (to) {
3690                     inet->has_to = true;
3691                     inet->to = to + 5700;
3692                 }
3693             } else {
3694                 inet->port = g_strdup(port);
3695             }
3696         } else {
3697             int offset = reverse ? 0 : 5900;
3698             if (parse_uint_full(port, &baseport, 10) < 0) {
3699                 error_setg(errp, "can't convert to a number: %s", port);
3700                 goto cleanup;
3701             }
3702             if (baseport > 65535 ||
3703                 baseport + offset > 65535) {
3704                 error_setg(errp, "port %s out of range", port);
3705                 goto cleanup;
3706             }
3707             inet->port = g_strdup_printf(
3708                 "%d", (int)baseport + offset);
3709 
3710             if (to) {
3711                 inet->has_to = true;
3712                 inet->to = to + offset;
3713             }
3714         }
3715 
3716         inet->ipv4 = ipv4;
3717         inet->has_ipv4 = has_ipv4;
3718         inet->ipv6 = ipv6;
3719         inet->has_ipv6 = has_ipv6;
3720 
3721         ret = baseport;
3722     }
3723 
3724     *retaddr = addr;
3725 
3726  cleanup:
3727     if (ret < 0) {
3728         qapi_free_SocketAddress(addr);
3729     }
3730     return ret;
3731 }
3732 
3733 static void vnc_free_addresses(SocketAddress ***retsaddr,
3734                                size_t *retnsaddr)
3735 {
3736     size_t i;
3737 
3738     for (i = 0; i < *retnsaddr; i++) {
3739         qapi_free_SocketAddress((*retsaddr)[i]);
3740     }
3741     g_free(*retsaddr);
3742 
3743     *retsaddr = NULL;
3744     *retnsaddr = 0;
3745 }
3746 
3747 static int vnc_display_get_addresses(QemuOpts *opts,
3748                                      bool reverse,
3749                                      SocketAddress ***retsaddr,
3750                                      size_t *retnsaddr,
3751                                      SocketAddress ***retwsaddr,
3752                                      size_t *retnwsaddr,
3753                                      Error **errp)
3754 {
3755     SocketAddress *saddr = NULL;
3756     SocketAddress *wsaddr = NULL;
3757     QemuOptsIter addriter;
3758     const char *addr;
3759     int to = qemu_opt_get_number(opts, "to", 0);
3760     bool has_ipv4 = qemu_opt_get(opts, "ipv4");
3761     bool has_ipv6 = qemu_opt_get(opts, "ipv6");
3762     bool ipv4 = qemu_opt_get_bool(opts, "ipv4", false);
3763     bool ipv6 = qemu_opt_get_bool(opts, "ipv6", false);
3764     int displaynum = -1;
3765     int ret = -1;
3766 
3767     *retsaddr = NULL;
3768     *retnsaddr = 0;
3769     *retwsaddr = NULL;
3770     *retnwsaddr = 0;
3771 
3772     addr = qemu_opt_get(opts, "vnc");
3773     if (addr == NULL || g_str_equal(addr, "none")) {
3774         ret = 0;
3775         goto cleanup;
3776     }
3777     if (qemu_opt_get(opts, "websocket") &&
3778         !qcrypto_hash_supports(QCRYPTO_HASH_ALG_SHA1)) {
3779         error_setg(errp,
3780                    "SHA1 hash support is required for websockets");
3781         goto cleanup;
3782     }
3783 
3784     qemu_opt_iter_init(&addriter, opts, "vnc");
3785     while ((addr = qemu_opt_iter_next(&addriter)) != NULL) {
3786         int rv;
3787         rv = vnc_display_get_address(addr, false, reverse, 0, to,
3788                                      has_ipv4, has_ipv6,
3789                                      ipv4, ipv6,
3790                                      &saddr, errp);
3791         if (rv < 0) {
3792             goto cleanup;
3793         }
3794         /* Historical compat - first listen address can be used
3795          * to set the default websocket port
3796          */
3797         if (displaynum == -1) {
3798             displaynum = rv;
3799         }
3800         *retsaddr = g_renew(SocketAddress *, *retsaddr, *retnsaddr + 1);
3801         (*retsaddr)[(*retnsaddr)++] = saddr;
3802     }
3803 
3804     /* If we had multiple primary displays, we don't do defaults
3805      * for websocket, and require explicit config instead. */
3806     if (*retnsaddr > 1) {
3807         displaynum = -1;
3808     }
3809 
3810     qemu_opt_iter_init(&addriter, opts, "websocket");
3811     while ((addr = qemu_opt_iter_next(&addriter)) != NULL) {
3812         if (vnc_display_get_address(addr, true, reverse, displaynum, to,
3813                                     has_ipv4, has_ipv6,
3814                                     ipv4, ipv6,
3815                                     &wsaddr, errp) < 0) {
3816             goto cleanup;
3817         }
3818 
3819         /* Historical compat - if only a single listen address was
3820          * provided, then this is used to set the default listen
3821          * address for websocket too
3822          */
3823         if (*retnsaddr == 1 &&
3824             (*retsaddr)[0]->type == SOCKET_ADDRESS_TYPE_INET &&
3825             wsaddr->type == SOCKET_ADDRESS_TYPE_INET &&
3826             g_str_equal(wsaddr->u.inet.host, "") &&
3827             !g_str_equal((*retsaddr)[0]->u.inet.host, "")) {
3828             g_free(wsaddr->u.inet.host);
3829             wsaddr->u.inet.host = g_strdup((*retsaddr)[0]->u.inet.host);
3830         }
3831 
3832         *retwsaddr = g_renew(SocketAddress *, *retwsaddr, *retnwsaddr + 1);
3833         (*retwsaddr)[(*retnwsaddr)++] = wsaddr;
3834     }
3835 
3836     ret = 0;
3837  cleanup:
3838     if (ret < 0) {
3839         vnc_free_addresses(retsaddr, retnsaddr);
3840         vnc_free_addresses(retwsaddr, retnwsaddr);
3841     }
3842     return ret;
3843 }
3844 
3845 static int vnc_display_connect(VncDisplay *vd,
3846                                SocketAddress **saddr,
3847                                size_t nsaddr,
3848                                SocketAddress **wsaddr,
3849                                size_t nwsaddr,
3850                                Error **errp)
3851 {
3852     /* connect to viewer */
3853     QIOChannelSocket *sioc = NULL;
3854     if (nwsaddr != 0) {
3855         error_setg(errp, "Cannot use websockets in reverse mode");
3856         return -1;
3857     }
3858     if (nsaddr != 1) {
3859         error_setg(errp, "Expected a single address in reverse mode");
3860         return -1;
3861     }
3862     /* TODO SOCKET_ADDRESS_TYPE_FD when fd has AF_UNIX */
3863     vd->is_unix = saddr[0]->type == SOCKET_ADDRESS_TYPE_UNIX;
3864     sioc = qio_channel_socket_new();
3865     qio_channel_set_name(QIO_CHANNEL(sioc), "vnc-reverse");
3866     if (qio_channel_socket_connect_sync(sioc, saddr[0], errp) < 0) {
3867         object_unref(OBJECT(sioc));
3868         return -1;
3869     }
3870     vnc_connect(vd, sioc, false, false);
3871     object_unref(OBJECT(sioc));
3872     return 0;
3873 }
3874 
3875 
3876 static int vnc_display_listen(VncDisplay *vd,
3877                               SocketAddress **saddr,
3878                               size_t nsaddr,
3879                               SocketAddress **wsaddr,
3880                               size_t nwsaddr,
3881                               Error **errp)
3882 {
3883     size_t i;
3884 
3885     if (nsaddr) {
3886         vd->listener = qio_net_listener_new();
3887         qio_net_listener_set_name(vd->listener, "vnc-listen");
3888         for (i = 0; i < nsaddr; i++) {
3889             if (qio_net_listener_open_sync(vd->listener,
3890                                            saddr[i], 1,
3891                                            errp) < 0)  {
3892                 return -1;
3893             }
3894         }
3895 
3896         qio_net_listener_set_client_func(vd->listener,
3897                                          vnc_listen_io, vd, NULL);
3898     }
3899 
3900     if (nwsaddr) {
3901         vd->wslistener = qio_net_listener_new();
3902         qio_net_listener_set_name(vd->wslistener, "vnc-ws-listen");
3903         for (i = 0; i < nwsaddr; i++) {
3904             if (qio_net_listener_open_sync(vd->wslistener,
3905                                            wsaddr[i], 1,
3906                                            errp) < 0)  {
3907                 return -1;
3908             }
3909         }
3910 
3911         qio_net_listener_set_client_func(vd->wslistener,
3912                                          vnc_listen_io, vd, NULL);
3913     }
3914 
3915     return 0;
3916 }
3917 
3918 
3919 void vnc_display_open(const char *id, Error **errp)
3920 {
3921     VncDisplay *vd = vnc_display_find(id);
3922     QemuOpts *opts = qemu_opts_find(&qemu_vnc_opts, id);
3923     SocketAddress **saddr = NULL, **wsaddr = NULL;
3924     size_t nsaddr, nwsaddr;
3925     const char *share, *device_id;
3926     QemuConsole *con;
3927     bool password = false;
3928     bool reverse = false;
3929     const char *credid;
3930     bool sasl = false;
3931     int acl = 0;
3932     const char *tlsauthz;
3933     const char *saslauthz;
3934     int lock_key_sync = 1;
3935     int key_delay_ms;
3936     const char *audiodev;
3937 
3938     if (!vd) {
3939         error_setg(errp, "VNC display not active");
3940         return;
3941     }
3942     vnc_display_close(vd);
3943 
3944     if (!opts) {
3945         return;
3946     }
3947 
3948     reverse = qemu_opt_get_bool(opts, "reverse", false);
3949     if (vnc_display_get_addresses(opts, reverse, &saddr, &nsaddr,
3950                                   &wsaddr, &nwsaddr, errp) < 0) {
3951         goto fail;
3952     }
3953 
3954     password = qemu_opt_get_bool(opts, "password", false);
3955     if (password) {
3956         if (fips_get_state()) {
3957             error_setg(errp,
3958                        "VNC password auth disabled due to FIPS mode, "
3959                        "consider using the VeNCrypt or SASL authentication "
3960                        "methods as an alternative");
3961             goto fail;
3962         }
3963         if (!qcrypto_cipher_supports(
3964                 QCRYPTO_CIPHER_ALG_DES_RFB, QCRYPTO_CIPHER_MODE_ECB)) {
3965             error_setg(errp,
3966                        "Cipher backend does not support DES RFB algorithm");
3967             goto fail;
3968         }
3969     }
3970 
3971     lock_key_sync = qemu_opt_get_bool(opts, "lock-key-sync", true);
3972     key_delay_ms = qemu_opt_get_number(opts, "key-delay-ms", 10);
3973     sasl = qemu_opt_get_bool(opts, "sasl", false);
3974 #ifndef CONFIG_VNC_SASL
3975     if (sasl) {
3976         error_setg(errp, "VNC SASL auth requires cyrus-sasl support");
3977         goto fail;
3978     }
3979 #endif /* CONFIG_VNC_SASL */
3980     credid = qemu_opt_get(opts, "tls-creds");
3981     if (credid) {
3982         Object *creds;
3983         creds = object_resolve_path_component(
3984             object_get_objects_root(), credid);
3985         if (!creds) {
3986             error_setg(errp, "No TLS credentials with id '%s'",
3987                        credid);
3988             goto fail;
3989         }
3990         vd->tlscreds = (QCryptoTLSCreds *)
3991             object_dynamic_cast(creds,
3992                                 TYPE_QCRYPTO_TLS_CREDS);
3993         if (!vd->tlscreds) {
3994             error_setg(errp, "Object with id '%s' is not TLS credentials",
3995                        credid);
3996             goto fail;
3997         }
3998         object_ref(OBJECT(vd->tlscreds));
3999 
4000         if (vd->tlscreds->endpoint != QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) {
4001             error_setg(errp,
4002                        "Expecting TLS credentials with a server endpoint");
4003             goto fail;
4004         }
4005     }
4006     if (qemu_opt_get(opts, "acl")) {
4007         error_report("The 'acl' option to -vnc is deprecated. "
4008                      "Please use the 'tls-authz' and 'sasl-authz' "
4009                      "options instead");
4010     }
4011     acl = qemu_opt_get_bool(opts, "acl", false);
4012     tlsauthz = qemu_opt_get(opts, "tls-authz");
4013     if (acl && tlsauthz) {
4014         error_setg(errp, "'acl' option is mutually exclusive with the "
4015                    "'tls-authz' option");
4016         goto fail;
4017     }
4018     if (tlsauthz && !vd->tlscreds) {
4019         error_setg(errp, "'tls-authz' provided but TLS is not enabled");
4020         goto fail;
4021     }
4022 
4023     saslauthz = qemu_opt_get(opts, "sasl-authz");
4024     if (acl && saslauthz) {
4025         error_setg(errp, "'acl' option is mutually exclusive with the "
4026                    "'sasl-authz' option");
4027         goto fail;
4028     }
4029     if (saslauthz && !sasl) {
4030         error_setg(errp, "'sasl-authz' provided but SASL auth is not enabled");
4031         goto fail;
4032     }
4033 
4034     share = qemu_opt_get(opts, "share");
4035     if (share) {
4036         if (strcmp(share, "ignore") == 0) {
4037             vd->share_policy = VNC_SHARE_POLICY_IGNORE;
4038         } else if (strcmp(share, "allow-exclusive") == 0) {
4039             vd->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
4040         } else if (strcmp(share, "force-shared") == 0) {
4041             vd->share_policy = VNC_SHARE_POLICY_FORCE_SHARED;
4042         } else {
4043             error_setg(errp, "unknown vnc share= option");
4044             goto fail;
4045         }
4046     } else {
4047         vd->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
4048     }
4049     vd->connections_limit = qemu_opt_get_number(opts, "connections", 32);
4050 
4051 #ifdef CONFIG_VNC_JPEG
4052     vd->lossy = qemu_opt_get_bool(opts, "lossy", false);
4053 #endif
4054     vd->non_adaptive = qemu_opt_get_bool(opts, "non-adaptive", false);
4055     /* adaptive updates are only used with tight encoding and
4056      * if lossy updates are enabled so we can disable all the
4057      * calculations otherwise */
4058     if (!vd->lossy) {
4059         vd->non_adaptive = true;
4060     }
4061 
4062     vd->power_control = qemu_opt_get_bool(opts, "power-control", false);
4063 
4064     if (tlsauthz) {
4065         vd->tlsauthzid = g_strdup(tlsauthz);
4066     } else if (acl) {
4067         if (strcmp(vd->id, "default") == 0) {
4068             vd->tlsauthzid = g_strdup("vnc.x509dname");
4069         } else {
4070             vd->tlsauthzid = g_strdup_printf("vnc.%s.x509dname", vd->id);
4071         }
4072         vd->tlsauthz = QAUTHZ(qauthz_list_new(vd->tlsauthzid,
4073                                               QAUTHZ_LIST_POLICY_DENY,
4074                                               &error_abort));
4075     }
4076 #ifdef CONFIG_VNC_SASL
4077     if (sasl) {
4078         if (saslauthz) {
4079             vd->sasl.authzid = g_strdup(saslauthz);
4080         } else if (acl) {
4081             if (strcmp(vd->id, "default") == 0) {
4082                 vd->sasl.authzid = g_strdup("vnc.username");
4083             } else {
4084                 vd->sasl.authzid = g_strdup_printf("vnc.%s.username", vd->id);
4085             }
4086             vd->sasl.authz = QAUTHZ(qauthz_list_new(vd->sasl.authzid,
4087                                                     QAUTHZ_LIST_POLICY_DENY,
4088                                                     &error_abort));
4089         }
4090     }
4091 #endif
4092 
4093     if (vnc_display_setup_auth(&vd->auth, &vd->subauth,
4094                                vd->tlscreds, password,
4095                                sasl, false, errp) < 0) {
4096         goto fail;
4097     }
4098     trace_vnc_auth_init(vd, 0, vd->auth, vd->subauth);
4099 
4100     if (vnc_display_setup_auth(&vd->ws_auth, &vd->ws_subauth,
4101                                vd->tlscreds, password,
4102                                sasl, true, errp) < 0) {
4103         goto fail;
4104     }
4105     trace_vnc_auth_init(vd, 1, vd->ws_auth, vd->ws_subauth);
4106 
4107 #ifdef CONFIG_VNC_SASL
4108     if (sasl) {
4109         int saslErr = sasl_server_init(NULL, "qemu");
4110 
4111         if (saslErr != SASL_OK) {
4112             error_setg(errp, "Failed to initialize SASL auth: %s",
4113                        sasl_errstring(saslErr, NULL, NULL));
4114             goto fail;
4115         }
4116     }
4117 #endif
4118     vd->lock_key_sync = lock_key_sync;
4119     if (lock_key_sync) {
4120         vd->led = qemu_add_led_event_handler(kbd_leds, vd);
4121     }
4122     vd->ledstate = 0;
4123 
4124     audiodev = qemu_opt_get(opts, "audiodev");
4125     if (audiodev) {
4126         vd->audio_state = audio_state_by_name(audiodev);
4127         if (!vd->audio_state) {
4128             error_setg(errp, "Audiodev '%s' not found", audiodev);
4129             goto fail;
4130         }
4131     }
4132 
4133     device_id = qemu_opt_get(opts, "display");
4134     if (device_id) {
4135         int head = qemu_opt_get_number(opts, "head", 0);
4136         Error *err = NULL;
4137 
4138         con = qemu_console_lookup_by_device_name(device_id, head, &err);
4139         if (err) {
4140             error_propagate(errp, err);
4141             goto fail;
4142         }
4143     } else {
4144         con = NULL;
4145     }
4146 
4147     if (con != vd->dcl.con) {
4148         qkbd_state_free(vd->kbd);
4149         unregister_displaychangelistener(&vd->dcl);
4150         vd->dcl.con = con;
4151         register_displaychangelistener(&vd->dcl);
4152         vd->kbd = qkbd_state_init(vd->dcl.con);
4153     }
4154     qkbd_state_set_delay(vd->kbd, key_delay_ms);
4155 
4156     if (saddr == NULL) {
4157         goto cleanup;
4158     }
4159 
4160     if (reverse) {
4161         if (vnc_display_connect(vd, saddr, nsaddr, wsaddr, nwsaddr, errp) < 0) {
4162             goto fail;
4163         }
4164     } else {
4165         if (vnc_display_listen(vd, saddr, nsaddr, wsaddr, nwsaddr, errp) < 0) {
4166             goto fail;
4167         }
4168     }
4169 
4170     if (qemu_opt_get(opts, "to")) {
4171         vnc_display_print_local_addr(vd);
4172     }
4173 
4174  cleanup:
4175     vnc_free_addresses(&saddr, &nsaddr);
4176     vnc_free_addresses(&wsaddr, &nwsaddr);
4177     return;
4178 
4179 fail:
4180     vnc_display_close(vd);
4181     goto cleanup;
4182 }
4183 
4184 void vnc_display_add_client(const char *id, int csock, bool skipauth)
4185 {
4186     VncDisplay *vd = vnc_display_find(id);
4187     QIOChannelSocket *sioc;
4188 
4189     if (!vd) {
4190         return;
4191     }
4192 
4193     sioc = qio_channel_socket_new_fd(csock, NULL);
4194     if (sioc) {
4195         qio_channel_set_name(QIO_CHANNEL(sioc), "vnc-server");
4196         vnc_connect(vd, sioc, skipauth, false);
4197         object_unref(OBJECT(sioc));
4198     }
4199 }
4200 
4201 static void vnc_auto_assign_id(QemuOptsList *olist, QemuOpts *opts)
4202 {
4203     int i = 2;
4204     char *id;
4205 
4206     id = g_strdup("default");
4207     while (qemu_opts_find(olist, id)) {
4208         g_free(id);
4209         id = g_strdup_printf("vnc%d", i++);
4210     }
4211     qemu_opts_set_id(opts, id);
4212 }
4213 
4214 QemuOpts *vnc_parse(const char *str, Error **errp)
4215 {
4216     QemuOptsList *olist = qemu_find_opts("vnc");
4217     QemuOpts *opts = qemu_opts_parse(olist, str, true, errp);
4218     const char *id;
4219 
4220     if (!opts) {
4221         return NULL;
4222     }
4223 
4224     id = qemu_opts_id(opts);
4225     if (!id) {
4226         /* auto-assign id if not present */
4227         vnc_auto_assign_id(olist, opts);
4228     }
4229     return opts;
4230 }
4231 
4232 int vnc_init_func(void *opaque, QemuOpts *opts, Error **errp)
4233 {
4234     Error *local_err = NULL;
4235     char *id = (char *)qemu_opts_id(opts);
4236 
4237     assert(id);
4238     vnc_display_init(id, &local_err);
4239     if (local_err) {
4240         error_propagate(errp, local_err);
4241         return -1;
4242     }
4243     vnc_display_open(id, &local_err);
4244     if (local_err != NULL) {
4245         error_propagate(errp, local_err);
4246         return -1;
4247     }
4248     return 0;
4249 }
4250 
4251 static void vnc_register_config(void)
4252 {
4253     qemu_add_opts(&qemu_vnc_opts);
4254 }
4255 opts_init(vnc_register_config);
4256