xref: /openbmc/qemu/ui/vnc.c (revision a6caeee8)
1 /*
2  * QEMU VNC display driver
3  *
4  * Copyright (C) 2006 Anthony Liguori <anthony@codemonkey.ws>
5  * Copyright (C) 2006 Fabrice Bellard
6  * Copyright (C) 2009 Red Hat, Inc
7  *
8  * Permission is hereby granted, free of charge, to any person obtaining a copy
9  * of this software and associated documentation files (the "Software"), to deal
10  * in the Software without restriction, including without limitation the rights
11  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
12  * copies of the Software, and to permit persons to whom the Software is
13  * furnished to do so, subject to the following conditions:
14  *
15  * The above copyright notice and this permission notice shall be included in
16  * all copies or substantial portions of the Software.
17  *
18  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
19  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
20  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
21  * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
22  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
23  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
24  * THE SOFTWARE.
25  */
26 
27 #include "qemu/osdep.h"
28 #include "vnc.h"
29 #include "vnc-jobs.h"
30 #include "trace.h"
31 #include "hw/qdev-core.h"
32 #include "sysemu/sysemu.h"
33 #include "sysemu/runstate.h"
34 #include "qemu/error-report.h"
35 #include "qemu/main-loop.h"
36 #include "qemu/module.h"
37 #include "qemu/option.h"
38 #include "qemu/sockets.h"
39 #include "qemu/timer.h"
40 #include "authz/list.h"
41 #include "qemu/config-file.h"
42 #include "qapi/qapi-emit-events.h"
43 #include "qapi/qapi-events-ui.h"
44 #include "qapi/error.h"
45 #include "qapi/qapi-commands-ui.h"
46 #include "ui/input.h"
47 #include "crypto/hash.h"
48 #include "crypto/tlscreds.h"
49 #include "crypto/tlscredsanon.h"
50 #include "crypto/tlscredsx509.h"
51 #include "crypto/random.h"
52 #include "crypto/secret_common.h"
53 #include "qom/object_interfaces.h"
54 #include "qemu/cutils.h"
55 #include "qemu/help_option.h"
56 #include "io/dns-resolver.h"
57 #include "monitor/monitor.h"
58 
59 #define VNC_REFRESH_INTERVAL_BASE GUI_REFRESH_INTERVAL_DEFAULT
60 #define VNC_REFRESH_INTERVAL_INC  50
61 #define VNC_REFRESH_INTERVAL_MAX  GUI_REFRESH_INTERVAL_IDLE
62 static const struct timeval VNC_REFRESH_STATS = { 0, 500000 };
63 static const struct timeval VNC_REFRESH_LOSSY = { 2, 0 };
64 
65 #include "vnc_keysym.h"
66 #include "crypto/cipher.h"
67 
68 static QTAILQ_HEAD(, VncDisplay) vnc_displays =
69     QTAILQ_HEAD_INITIALIZER(vnc_displays);
70 
71 static int vnc_cursor_define(VncState *vs);
72 static void vnc_update_throttle_offset(VncState *vs);
73 
74 static void vnc_set_share_mode(VncState *vs, VncShareMode mode)
75 {
76 #ifdef _VNC_DEBUG
77     static const char *mn[] = {
78         [0]                           = "undefined",
79         [VNC_SHARE_MODE_CONNECTING]   = "connecting",
80         [VNC_SHARE_MODE_SHARED]       = "shared",
81         [VNC_SHARE_MODE_EXCLUSIVE]    = "exclusive",
82         [VNC_SHARE_MODE_DISCONNECTED] = "disconnected",
83     };
84     fprintf(stderr, "%s/%p: %s -> %s\n", __func__,
85             vs->ioc, mn[vs->share_mode], mn[mode]);
86 #endif
87 
88     switch (vs->share_mode) {
89     case VNC_SHARE_MODE_CONNECTING:
90         vs->vd->num_connecting--;
91         break;
92     case VNC_SHARE_MODE_SHARED:
93         vs->vd->num_shared--;
94         break;
95     case VNC_SHARE_MODE_EXCLUSIVE:
96         vs->vd->num_exclusive--;
97         break;
98     default:
99         break;
100     }
101 
102     vs->share_mode = mode;
103 
104     switch (vs->share_mode) {
105     case VNC_SHARE_MODE_CONNECTING:
106         vs->vd->num_connecting++;
107         break;
108     case VNC_SHARE_MODE_SHARED:
109         vs->vd->num_shared++;
110         break;
111     case VNC_SHARE_MODE_EXCLUSIVE:
112         vs->vd->num_exclusive++;
113         break;
114     default:
115         break;
116     }
117 }
118 
119 
120 static void vnc_init_basic_info(SocketAddress *addr,
121                                 VncBasicInfo *info,
122                                 Error **errp)
123 {
124     switch (addr->type) {
125     case SOCKET_ADDRESS_TYPE_INET:
126         info->host = g_strdup(addr->u.inet.host);
127         info->service = g_strdup(addr->u.inet.port);
128         if (addr->u.inet.ipv6) {
129             info->family = NETWORK_ADDRESS_FAMILY_IPV6;
130         } else {
131             info->family = NETWORK_ADDRESS_FAMILY_IPV4;
132         }
133         break;
134 
135     case SOCKET_ADDRESS_TYPE_UNIX:
136         info->host = g_strdup("");
137         info->service = g_strdup(addr->u.q_unix.path);
138         info->family = NETWORK_ADDRESS_FAMILY_UNIX;
139         break;
140 
141     case SOCKET_ADDRESS_TYPE_VSOCK:
142     case SOCKET_ADDRESS_TYPE_FD:
143         error_setg(errp, "Unsupported socket address type %s",
144                    SocketAddressType_str(addr->type));
145         break;
146     default:
147         abort();
148     }
149 
150     return;
151 }
152 
153 static void vnc_init_basic_info_from_server_addr(QIOChannelSocket *ioc,
154                                                  VncBasicInfo *info,
155                                                  Error **errp)
156 {
157     SocketAddress *addr = NULL;
158 
159     if (!ioc) {
160         error_setg(errp, "No listener socket available");
161         return;
162     }
163 
164     addr = qio_channel_socket_get_local_address(ioc, errp);
165     if (!addr) {
166         return;
167     }
168 
169     vnc_init_basic_info(addr, info, errp);
170     qapi_free_SocketAddress(addr);
171 }
172 
173 static void vnc_init_basic_info_from_remote_addr(QIOChannelSocket *ioc,
174                                                  VncBasicInfo *info,
175                                                  Error **errp)
176 {
177     SocketAddress *addr = NULL;
178 
179     addr = qio_channel_socket_get_remote_address(ioc, errp);
180     if (!addr) {
181         return;
182     }
183 
184     vnc_init_basic_info(addr, info, errp);
185     qapi_free_SocketAddress(addr);
186 }
187 
188 static const char *vnc_auth_name(VncDisplay *vd) {
189     switch (vd->auth) {
190     case VNC_AUTH_INVALID:
191         return "invalid";
192     case VNC_AUTH_NONE:
193         return "none";
194     case VNC_AUTH_VNC:
195         return "vnc";
196     case VNC_AUTH_RA2:
197         return "ra2";
198     case VNC_AUTH_RA2NE:
199         return "ra2ne";
200     case VNC_AUTH_TIGHT:
201         return "tight";
202     case VNC_AUTH_ULTRA:
203         return "ultra";
204     case VNC_AUTH_TLS:
205         return "tls";
206     case VNC_AUTH_VENCRYPT:
207         switch (vd->subauth) {
208         case VNC_AUTH_VENCRYPT_PLAIN:
209             return "vencrypt+plain";
210         case VNC_AUTH_VENCRYPT_TLSNONE:
211             return "vencrypt+tls+none";
212         case VNC_AUTH_VENCRYPT_TLSVNC:
213             return "vencrypt+tls+vnc";
214         case VNC_AUTH_VENCRYPT_TLSPLAIN:
215             return "vencrypt+tls+plain";
216         case VNC_AUTH_VENCRYPT_X509NONE:
217             return "vencrypt+x509+none";
218         case VNC_AUTH_VENCRYPT_X509VNC:
219             return "vencrypt+x509+vnc";
220         case VNC_AUTH_VENCRYPT_X509PLAIN:
221             return "vencrypt+x509+plain";
222         case VNC_AUTH_VENCRYPT_TLSSASL:
223             return "vencrypt+tls+sasl";
224         case VNC_AUTH_VENCRYPT_X509SASL:
225             return "vencrypt+x509+sasl";
226         default:
227             return "vencrypt";
228         }
229     case VNC_AUTH_SASL:
230         return "sasl";
231     }
232     return "unknown";
233 }
234 
235 static VncServerInfo *vnc_server_info_get(VncDisplay *vd)
236 {
237     VncServerInfo *info;
238     Error *err = NULL;
239 
240     if (!vd->listener || !vd->listener->nsioc) {
241         return NULL;
242     }
243 
244     info = g_malloc0(sizeof(*info));
245     vnc_init_basic_info_from_server_addr(vd->listener->sioc[0],
246                                          qapi_VncServerInfo_base(info), &err);
247     info->has_auth = true;
248     info->auth = g_strdup(vnc_auth_name(vd));
249     if (err) {
250         qapi_free_VncServerInfo(info);
251         info = NULL;
252         error_free(err);
253     }
254     return info;
255 }
256 
257 static void vnc_client_cache_auth(VncState *client)
258 {
259     if (!client->info) {
260         return;
261     }
262 
263     if (client->tls) {
264         client->info->x509_dname =
265             qcrypto_tls_session_get_peer_name(client->tls);
266         client->info->has_x509_dname =
267             client->info->x509_dname != NULL;
268     }
269 #ifdef CONFIG_VNC_SASL
270     if (client->sasl.conn &&
271         client->sasl.username) {
272         client->info->has_sasl_username = true;
273         client->info->sasl_username = g_strdup(client->sasl.username);
274     }
275 #endif
276 }
277 
278 static void vnc_client_cache_addr(VncState *client)
279 {
280     Error *err = NULL;
281 
282     client->info = g_malloc0(sizeof(*client->info));
283     vnc_init_basic_info_from_remote_addr(client->sioc,
284                                          qapi_VncClientInfo_base(client->info),
285                                          &err);
286     client->info->websocket = client->websocket;
287     if (err) {
288         qapi_free_VncClientInfo(client->info);
289         client->info = NULL;
290         error_free(err);
291     }
292 }
293 
294 static void vnc_qmp_event(VncState *vs, QAPIEvent event)
295 {
296     VncServerInfo *si;
297 
298     if (!vs->info) {
299         return;
300     }
301 
302     si = vnc_server_info_get(vs->vd);
303     if (!si) {
304         return;
305     }
306 
307     switch (event) {
308     case QAPI_EVENT_VNC_CONNECTED:
309         qapi_event_send_vnc_connected(si, qapi_VncClientInfo_base(vs->info));
310         break;
311     case QAPI_EVENT_VNC_INITIALIZED:
312         qapi_event_send_vnc_initialized(si, vs->info);
313         break;
314     case QAPI_EVENT_VNC_DISCONNECTED:
315         qapi_event_send_vnc_disconnected(si, vs->info);
316         break;
317     default:
318         break;
319     }
320 
321     qapi_free_VncServerInfo(si);
322 }
323 
324 static VncClientInfo *qmp_query_vnc_client(const VncState *client)
325 {
326     VncClientInfo *info;
327     Error *err = NULL;
328 
329     info = g_malloc0(sizeof(*info));
330 
331     vnc_init_basic_info_from_remote_addr(client->sioc,
332                                          qapi_VncClientInfo_base(info),
333                                          &err);
334     if (err) {
335         error_free(err);
336         qapi_free_VncClientInfo(info);
337         return NULL;
338     }
339 
340     info->websocket = client->websocket;
341 
342     if (client->tls) {
343         info->x509_dname = qcrypto_tls_session_get_peer_name(client->tls);
344         info->has_x509_dname = info->x509_dname != NULL;
345     }
346 #ifdef CONFIG_VNC_SASL
347     if (client->sasl.conn && client->sasl.username) {
348         info->has_sasl_username = true;
349         info->sasl_username = g_strdup(client->sasl.username);
350     }
351 #endif
352 
353     return info;
354 }
355 
356 static VncDisplay *vnc_display_find(const char *id)
357 {
358     VncDisplay *vd;
359 
360     if (id == NULL) {
361         return QTAILQ_FIRST(&vnc_displays);
362     }
363     QTAILQ_FOREACH(vd, &vnc_displays, next) {
364         if (strcmp(id, vd->id) == 0) {
365             return vd;
366         }
367     }
368     return NULL;
369 }
370 
371 static VncClientInfoList *qmp_query_client_list(VncDisplay *vd)
372 {
373     VncClientInfoList *prev = NULL;
374     VncState *client;
375 
376     QTAILQ_FOREACH(client, &vd->clients, next) {
377         QAPI_LIST_PREPEND(prev, qmp_query_vnc_client(client));
378     }
379     return prev;
380 }
381 
382 VncInfo *qmp_query_vnc(Error **errp)
383 {
384     VncInfo *info = g_malloc0(sizeof(*info));
385     VncDisplay *vd = vnc_display_find(NULL);
386     SocketAddress *addr = NULL;
387 
388     if (vd == NULL || !vd->listener || !vd->listener->nsioc) {
389         info->enabled = false;
390     } else {
391         info->enabled = true;
392 
393         /* for compatibility with the original command */
394         info->has_clients = true;
395         info->clients = qmp_query_client_list(vd);
396 
397         addr = qio_channel_socket_get_local_address(vd->listener->sioc[0],
398                                                     errp);
399         if (!addr) {
400             goto out_error;
401         }
402 
403         switch (addr->type) {
404         case SOCKET_ADDRESS_TYPE_INET:
405             info->host = g_strdup(addr->u.inet.host);
406             info->service = g_strdup(addr->u.inet.port);
407             if (addr->u.inet.ipv6) {
408                 info->family = NETWORK_ADDRESS_FAMILY_IPV6;
409             } else {
410                 info->family = NETWORK_ADDRESS_FAMILY_IPV4;
411             }
412             break;
413 
414         case SOCKET_ADDRESS_TYPE_UNIX:
415             info->host = g_strdup("");
416             info->service = g_strdup(addr->u.q_unix.path);
417             info->family = NETWORK_ADDRESS_FAMILY_UNIX;
418             break;
419 
420         case SOCKET_ADDRESS_TYPE_VSOCK:
421         case SOCKET_ADDRESS_TYPE_FD:
422             error_setg(errp, "Unsupported socket address type %s",
423                        SocketAddressType_str(addr->type));
424             goto out_error;
425         default:
426             abort();
427         }
428 
429         info->has_host = true;
430         info->has_service = true;
431         info->has_family = true;
432 
433         info->has_auth = true;
434         info->auth = g_strdup(vnc_auth_name(vd));
435     }
436 
437     qapi_free_SocketAddress(addr);
438     return info;
439 
440 out_error:
441     qapi_free_SocketAddress(addr);
442     qapi_free_VncInfo(info);
443     return NULL;
444 }
445 
446 
447 static void qmp_query_auth(int auth, int subauth,
448                            VncPrimaryAuth *qmp_auth,
449                            VncVencryptSubAuth *qmp_vencrypt,
450                            bool *qmp_has_vencrypt);
451 
452 static VncServerInfo2List *qmp_query_server_entry(QIOChannelSocket *ioc,
453                                                   bool websocket,
454                                                   int auth,
455                                                   int subauth,
456                                                   VncServerInfo2List *prev)
457 {
458     VncServerInfo2 *info;
459     Error *err = NULL;
460     SocketAddress *addr;
461 
462     addr = qio_channel_socket_get_local_address(ioc, NULL);
463     if (!addr) {
464         return prev;
465     }
466 
467     info = g_new0(VncServerInfo2, 1);
468     vnc_init_basic_info(addr, qapi_VncServerInfo2_base(info), &err);
469     qapi_free_SocketAddress(addr);
470     if (err) {
471         qapi_free_VncServerInfo2(info);
472         error_free(err);
473         return prev;
474     }
475     info->websocket = websocket;
476 
477     qmp_query_auth(auth, subauth, &info->auth,
478                    &info->vencrypt, &info->has_vencrypt);
479 
480     QAPI_LIST_PREPEND(prev, info);
481     return prev;
482 }
483 
484 static void qmp_query_auth(int auth, int subauth,
485                            VncPrimaryAuth *qmp_auth,
486                            VncVencryptSubAuth *qmp_vencrypt,
487                            bool *qmp_has_vencrypt)
488 {
489     switch (auth) {
490     case VNC_AUTH_VNC:
491         *qmp_auth = VNC_PRIMARY_AUTH_VNC;
492         break;
493     case VNC_AUTH_RA2:
494         *qmp_auth = VNC_PRIMARY_AUTH_RA2;
495         break;
496     case VNC_AUTH_RA2NE:
497         *qmp_auth = VNC_PRIMARY_AUTH_RA2NE;
498         break;
499     case VNC_AUTH_TIGHT:
500         *qmp_auth = VNC_PRIMARY_AUTH_TIGHT;
501         break;
502     case VNC_AUTH_ULTRA:
503         *qmp_auth = VNC_PRIMARY_AUTH_ULTRA;
504         break;
505     case VNC_AUTH_TLS:
506         *qmp_auth = VNC_PRIMARY_AUTH_TLS;
507         break;
508     case VNC_AUTH_VENCRYPT:
509         *qmp_auth = VNC_PRIMARY_AUTH_VENCRYPT;
510         *qmp_has_vencrypt = true;
511         switch (subauth) {
512         case VNC_AUTH_VENCRYPT_PLAIN:
513             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_PLAIN;
514             break;
515         case VNC_AUTH_VENCRYPT_TLSNONE:
516             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_NONE;
517             break;
518         case VNC_AUTH_VENCRYPT_TLSVNC:
519             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_VNC;
520             break;
521         case VNC_AUTH_VENCRYPT_TLSPLAIN:
522             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_PLAIN;
523             break;
524         case VNC_AUTH_VENCRYPT_X509NONE:
525             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_NONE;
526             break;
527         case VNC_AUTH_VENCRYPT_X509VNC:
528             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_VNC;
529             break;
530         case VNC_AUTH_VENCRYPT_X509PLAIN:
531             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_PLAIN;
532             break;
533         case VNC_AUTH_VENCRYPT_TLSSASL:
534             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_SASL;
535             break;
536         case VNC_AUTH_VENCRYPT_X509SASL:
537             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_SASL;
538             break;
539         default:
540             *qmp_has_vencrypt = false;
541             break;
542         }
543         break;
544     case VNC_AUTH_SASL:
545         *qmp_auth = VNC_PRIMARY_AUTH_SASL;
546         break;
547     case VNC_AUTH_NONE:
548     default:
549         *qmp_auth = VNC_PRIMARY_AUTH_NONE;
550         break;
551     }
552 }
553 
554 VncInfo2List *qmp_query_vnc_servers(Error **errp)
555 {
556     VncInfo2List *prev = NULL;
557     VncInfo2 *info;
558     VncDisplay *vd;
559     DeviceState *dev;
560     size_t i;
561 
562     QTAILQ_FOREACH(vd, &vnc_displays, next) {
563         info = g_new0(VncInfo2, 1);
564         info->id = g_strdup(vd->id);
565         info->clients = qmp_query_client_list(vd);
566         qmp_query_auth(vd->auth, vd->subauth, &info->auth,
567                        &info->vencrypt, &info->has_vencrypt);
568         if (vd->dcl.con) {
569             dev = DEVICE(object_property_get_link(OBJECT(vd->dcl.con),
570                                                   "device", &error_abort));
571             info->has_display = true;
572             info->display = g_strdup(dev->id);
573         }
574         for (i = 0; vd->listener != NULL && i < vd->listener->nsioc; i++) {
575             info->server = qmp_query_server_entry(
576                 vd->listener->sioc[i], false, vd->auth, vd->subauth,
577                 info->server);
578         }
579         for (i = 0; vd->wslistener != NULL && i < vd->wslistener->nsioc; i++) {
580             info->server = qmp_query_server_entry(
581                 vd->wslistener->sioc[i], true, vd->ws_auth,
582                 vd->ws_subauth, info->server);
583         }
584 
585         QAPI_LIST_PREPEND(prev, info);
586     }
587     return prev;
588 }
589 
590 bool vnc_display_reload_certs(const char *id, Error **errp)
591 {
592     VncDisplay *vd = vnc_display_find(id);
593     QCryptoTLSCredsClass *creds = NULL;
594 
595     if (!vd) {
596         error_setg(errp, "Can not find vnc display");
597         return false;
598     }
599 
600     if (!vd->tlscreds) {
601         error_setg(errp, "vnc tls is not enabled");
602         return false;
603     }
604 
605     creds = QCRYPTO_TLS_CREDS_GET_CLASS(OBJECT(vd->tlscreds));
606     if (creds->reload == NULL) {
607         error_setg(errp, "%s doesn't support to reload TLS credential",
608                    object_get_typename(OBJECT(vd->tlscreds)));
609         return false;
610     }
611     if (!creds->reload(vd->tlscreds, errp)) {
612         return false;
613     }
614 
615     return true;
616 }
617 
618 /* TODO
619    1) Get the queue working for IO.
620    2) there is some weirdness when using the -S option (the screen is grey
621       and not totally invalidated
622    3) resolutions > 1024
623 */
624 
625 static int vnc_update_client(VncState *vs, int has_dirty);
626 static void vnc_disconnect_start(VncState *vs);
627 
628 static void vnc_colordepth(VncState *vs);
629 static void framebuffer_update_request(VncState *vs, int incremental,
630                                        int x_position, int y_position,
631                                        int w, int h);
632 static void vnc_refresh(DisplayChangeListener *dcl);
633 static int vnc_refresh_server_surface(VncDisplay *vd);
634 
635 static int vnc_width(VncDisplay *vd)
636 {
637     return MIN(VNC_MAX_WIDTH, ROUND_UP(surface_width(vd->ds),
638                                        VNC_DIRTY_PIXELS_PER_BIT));
639 }
640 
641 static int vnc_true_width(VncDisplay *vd)
642 {
643     return MIN(VNC_MAX_WIDTH, surface_width(vd->ds));
644 }
645 
646 static int vnc_height(VncDisplay *vd)
647 {
648     return MIN(VNC_MAX_HEIGHT, surface_height(vd->ds));
649 }
650 
651 static void vnc_set_area_dirty(DECLARE_BITMAP(dirty[VNC_MAX_HEIGHT],
652                                VNC_MAX_WIDTH / VNC_DIRTY_PIXELS_PER_BIT),
653                                VncDisplay *vd,
654                                int x, int y, int w, int h)
655 {
656     int width = vnc_width(vd);
657     int height = vnc_height(vd);
658 
659     /* this is needed this to ensure we updated all affected
660      * blocks if x % VNC_DIRTY_PIXELS_PER_BIT != 0 */
661     w += (x % VNC_DIRTY_PIXELS_PER_BIT);
662     x -= (x % VNC_DIRTY_PIXELS_PER_BIT);
663 
664     x = MIN(x, width);
665     y = MIN(y, height);
666     w = MIN(x + w, width) - x;
667     h = MIN(y + h, height);
668 
669     for (; y < h; y++) {
670         bitmap_set(dirty[y], x / VNC_DIRTY_PIXELS_PER_BIT,
671                    DIV_ROUND_UP(w, VNC_DIRTY_PIXELS_PER_BIT));
672     }
673 }
674 
675 static void vnc_dpy_update(DisplayChangeListener *dcl,
676                            int x, int y, int w, int h)
677 {
678     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
679     struct VncSurface *s = &vd->guest;
680 
681     vnc_set_area_dirty(s->dirty, vd, x, y, w, h);
682 }
683 
684 void vnc_framebuffer_update(VncState *vs, int x, int y, int w, int h,
685                             int32_t encoding)
686 {
687     vnc_write_u16(vs, x);
688     vnc_write_u16(vs, y);
689     vnc_write_u16(vs, w);
690     vnc_write_u16(vs, h);
691 
692     vnc_write_s32(vs, encoding);
693 }
694 
695 static void vnc_desktop_resize_ext(VncState *vs, int reject_reason)
696 {
697     trace_vnc_msg_server_ext_desktop_resize(
698         vs, vs->ioc, vs->client_width, vs->client_height, reject_reason);
699 
700     vnc_lock_output(vs);
701     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
702     vnc_write_u8(vs, 0);
703     vnc_write_u16(vs, 1); /* number of rects */
704     vnc_framebuffer_update(vs,
705                            reject_reason ? 1 : 0,
706                            reject_reason,
707                            vs->client_width, vs->client_height,
708                            VNC_ENCODING_DESKTOP_RESIZE_EXT);
709     vnc_write_u8(vs, 1);  /* number of screens */
710     vnc_write_u8(vs, 0);  /* padding */
711     vnc_write_u8(vs, 0);  /* padding */
712     vnc_write_u8(vs, 0);  /* padding */
713     vnc_write_u32(vs, 0); /* screen id */
714     vnc_write_u16(vs, 0); /* screen x-pos */
715     vnc_write_u16(vs, 0); /* screen y-pos */
716     vnc_write_u16(vs, vs->client_width);
717     vnc_write_u16(vs, vs->client_height);
718     vnc_write_u32(vs, 0); /* screen flags */
719     vnc_unlock_output(vs);
720     vnc_flush(vs);
721 }
722 
723 static void vnc_desktop_resize(VncState *vs)
724 {
725     if (vs->ioc == NULL || (!vnc_has_feature(vs, VNC_FEATURE_RESIZE) &&
726                             !vnc_has_feature(vs, VNC_FEATURE_RESIZE_EXT))) {
727         return;
728     }
729     if (vs->client_width == vs->vd->true_width &&
730         vs->client_height == pixman_image_get_height(vs->vd->server)) {
731         return;
732     }
733 
734     assert(vs->vd->true_width < 65536 &&
735            vs->vd->true_width >= 0);
736     assert(pixman_image_get_height(vs->vd->server) < 65536 &&
737            pixman_image_get_height(vs->vd->server) >= 0);
738     vs->client_width = vs->vd->true_width;
739     vs->client_height = pixman_image_get_height(vs->vd->server);
740 
741     if (vnc_has_feature(vs, VNC_FEATURE_RESIZE_EXT)) {
742         vnc_desktop_resize_ext(vs, 0);
743         return;
744     }
745 
746     trace_vnc_msg_server_desktop_resize(
747         vs, vs->ioc, vs->client_width, vs->client_height);
748 
749     vnc_lock_output(vs);
750     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
751     vnc_write_u8(vs, 0);
752     vnc_write_u16(vs, 1); /* number of rects */
753     vnc_framebuffer_update(vs, 0, 0, vs->client_width, vs->client_height,
754                            VNC_ENCODING_DESKTOPRESIZE);
755     vnc_unlock_output(vs);
756     vnc_flush(vs);
757 }
758 
759 static void vnc_abort_display_jobs(VncDisplay *vd)
760 {
761     VncState *vs;
762 
763     QTAILQ_FOREACH(vs, &vd->clients, next) {
764         vnc_lock_output(vs);
765         vs->abort = true;
766         vnc_unlock_output(vs);
767     }
768     QTAILQ_FOREACH(vs, &vd->clients, next) {
769         vnc_jobs_join(vs);
770     }
771     QTAILQ_FOREACH(vs, &vd->clients, next) {
772         vnc_lock_output(vs);
773         if (vs->update == VNC_STATE_UPDATE_NONE &&
774             vs->job_update != VNC_STATE_UPDATE_NONE) {
775             /* job aborted before completion */
776             vs->update = vs->job_update;
777             vs->job_update = VNC_STATE_UPDATE_NONE;
778         }
779         vs->abort = false;
780         vnc_unlock_output(vs);
781     }
782 }
783 
784 int vnc_server_fb_stride(VncDisplay *vd)
785 {
786     return pixman_image_get_stride(vd->server);
787 }
788 
789 void *vnc_server_fb_ptr(VncDisplay *vd, int x, int y)
790 {
791     uint8_t *ptr;
792 
793     ptr  = (uint8_t *)pixman_image_get_data(vd->server);
794     ptr += y * vnc_server_fb_stride(vd);
795     ptr += x * VNC_SERVER_FB_BYTES;
796     return ptr;
797 }
798 
799 static void vnc_update_server_surface(VncDisplay *vd)
800 {
801     int width, height;
802 
803     qemu_pixman_image_unref(vd->server);
804     vd->server = NULL;
805 
806     if (QTAILQ_EMPTY(&vd->clients)) {
807         return;
808     }
809 
810     width = vnc_width(vd);
811     height = vnc_height(vd);
812     vd->true_width = vnc_true_width(vd);
813     vd->server = pixman_image_create_bits(VNC_SERVER_FB_FORMAT,
814                                           width, height,
815                                           NULL, 0);
816 
817     memset(vd->guest.dirty, 0x00, sizeof(vd->guest.dirty));
818     vnc_set_area_dirty(vd->guest.dirty, vd, 0, 0,
819                        width, height);
820 }
821 
822 static bool vnc_check_pageflip(DisplaySurface *s1,
823                                DisplaySurface *s2)
824 {
825     return (s1 != NULL &&
826             s2 != NULL &&
827             surface_width(s1) == surface_width(s2) &&
828             surface_height(s1) == surface_height(s2) &&
829             surface_format(s1) == surface_format(s2));
830 
831 }
832 
833 static void vnc_dpy_switch(DisplayChangeListener *dcl,
834                            DisplaySurface *surface)
835 {
836     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
837     bool pageflip = vnc_check_pageflip(vd->ds, surface);
838     VncState *vs;
839 
840     vnc_abort_display_jobs(vd);
841     vd->ds = surface;
842 
843     /* guest surface */
844     qemu_pixman_image_unref(vd->guest.fb);
845     vd->guest.fb = pixman_image_ref(surface->image);
846     vd->guest.format = surface->format;
847 
848 
849     if (pageflip) {
850         trace_vnc_server_dpy_pageflip(vd,
851                                       surface_width(surface),
852                                       surface_height(surface),
853                                       surface_format(surface));
854         vnc_set_area_dirty(vd->guest.dirty, vd, 0, 0,
855                            surface_width(surface),
856                            surface_height(surface));
857         return;
858     }
859 
860     trace_vnc_server_dpy_recreate(vd,
861                                   surface_width(surface),
862                                   surface_height(surface),
863                                   surface_format(surface));
864     /* server surface */
865     vnc_update_server_surface(vd);
866 
867     QTAILQ_FOREACH(vs, &vd->clients, next) {
868         vnc_colordepth(vs);
869         vnc_desktop_resize(vs);
870         vnc_cursor_define(vs);
871         memset(vs->dirty, 0x00, sizeof(vs->dirty));
872         vnc_set_area_dirty(vs->dirty, vd, 0, 0,
873                            vnc_width(vd),
874                            vnc_height(vd));
875         vnc_update_throttle_offset(vs);
876     }
877 }
878 
879 /* fastest code */
880 static void vnc_write_pixels_copy(VncState *vs,
881                                   void *pixels, int size)
882 {
883     vnc_write(vs, pixels, size);
884 }
885 
886 /* slowest but generic code. */
887 void vnc_convert_pixel(VncState *vs, uint8_t *buf, uint32_t v)
888 {
889     uint8_t r, g, b;
890 
891 #if VNC_SERVER_FB_FORMAT == PIXMAN_FORMAT(32, PIXMAN_TYPE_ARGB, 0, 8, 8, 8)
892     r = (((v & 0x00ff0000) >> 16) << vs->client_pf.rbits) >> 8;
893     g = (((v & 0x0000ff00) >>  8) << vs->client_pf.gbits) >> 8;
894     b = (((v & 0x000000ff) >>  0) << vs->client_pf.bbits) >> 8;
895 #else
896 # error need some bits here if you change VNC_SERVER_FB_FORMAT
897 #endif
898     v = (r << vs->client_pf.rshift) |
899         (g << vs->client_pf.gshift) |
900         (b << vs->client_pf.bshift);
901     switch (vs->client_pf.bytes_per_pixel) {
902     case 1:
903         buf[0] = v;
904         break;
905     case 2:
906         if (vs->client_be) {
907             buf[0] = v >> 8;
908             buf[1] = v;
909         } else {
910             buf[1] = v >> 8;
911             buf[0] = v;
912         }
913         break;
914     default:
915     case 4:
916         if (vs->client_be) {
917             buf[0] = v >> 24;
918             buf[1] = v >> 16;
919             buf[2] = v >> 8;
920             buf[3] = v;
921         } else {
922             buf[3] = v >> 24;
923             buf[2] = v >> 16;
924             buf[1] = v >> 8;
925             buf[0] = v;
926         }
927         break;
928     }
929 }
930 
931 static void vnc_write_pixels_generic(VncState *vs,
932                                      void *pixels1, int size)
933 {
934     uint8_t buf[4];
935 
936     if (VNC_SERVER_FB_BYTES == 4) {
937         uint32_t *pixels = pixels1;
938         int n, i;
939         n = size >> 2;
940         for (i = 0; i < n; i++) {
941             vnc_convert_pixel(vs, buf, pixels[i]);
942             vnc_write(vs, buf, vs->client_pf.bytes_per_pixel);
943         }
944     }
945 }
946 
947 int vnc_raw_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
948 {
949     int i;
950     uint8_t *row;
951     VncDisplay *vd = vs->vd;
952 
953     row = vnc_server_fb_ptr(vd, x, y);
954     for (i = 0; i < h; i++) {
955         vs->write_pixels(vs, row, w * VNC_SERVER_FB_BYTES);
956         row += vnc_server_fb_stride(vd);
957     }
958     return 1;
959 }
960 
961 int vnc_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
962 {
963     int n = 0;
964 
965     switch(vs->vnc_encoding) {
966         case VNC_ENCODING_ZLIB:
967             n = vnc_zlib_send_framebuffer_update(vs, x, y, w, h);
968             break;
969         case VNC_ENCODING_HEXTILE:
970             vnc_framebuffer_update(vs, x, y, w, h, VNC_ENCODING_HEXTILE);
971             n = vnc_hextile_send_framebuffer_update(vs, x, y, w, h);
972             break;
973         case VNC_ENCODING_TIGHT:
974             n = vnc_tight_send_framebuffer_update(vs, x, y, w, h);
975             break;
976         case VNC_ENCODING_TIGHT_PNG:
977             n = vnc_tight_png_send_framebuffer_update(vs, x, y, w, h);
978             break;
979         case VNC_ENCODING_ZRLE:
980             n = vnc_zrle_send_framebuffer_update(vs, x, y, w, h);
981             break;
982         case VNC_ENCODING_ZYWRLE:
983             n = vnc_zywrle_send_framebuffer_update(vs, x, y, w, h);
984             break;
985         default:
986             vnc_framebuffer_update(vs, x, y, w, h, VNC_ENCODING_RAW);
987             n = vnc_raw_send_framebuffer_update(vs, x, y, w, h);
988             break;
989     }
990     return n;
991 }
992 
993 static void vnc_mouse_set(DisplayChangeListener *dcl,
994                           int x, int y, int visible)
995 {
996     /* can we ask the client(s) to move the pointer ??? */
997 }
998 
999 static int vnc_cursor_define(VncState *vs)
1000 {
1001     QEMUCursor *c = vs->vd->cursor;
1002     int isize;
1003 
1004     if (!vs->vd->cursor) {
1005         return -1;
1006     }
1007 
1008     if (vnc_has_feature(vs, VNC_FEATURE_ALPHA_CURSOR)) {
1009         vnc_lock_output(vs);
1010         vnc_write_u8(vs,  VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1011         vnc_write_u8(vs,  0);  /*  padding     */
1012         vnc_write_u16(vs, 1);  /*  # of rects  */
1013         vnc_framebuffer_update(vs, c->hot_x, c->hot_y, c->width, c->height,
1014                                VNC_ENCODING_ALPHA_CURSOR);
1015         vnc_write_s32(vs, VNC_ENCODING_RAW);
1016         vnc_write(vs, c->data, c->width * c->height * 4);
1017         vnc_unlock_output(vs);
1018         return 0;
1019     }
1020     if (vnc_has_feature(vs, VNC_FEATURE_RICH_CURSOR)) {
1021         vnc_lock_output(vs);
1022         vnc_write_u8(vs,  VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1023         vnc_write_u8(vs,  0);  /*  padding     */
1024         vnc_write_u16(vs, 1);  /*  # of rects  */
1025         vnc_framebuffer_update(vs, c->hot_x, c->hot_y, c->width, c->height,
1026                                VNC_ENCODING_RICH_CURSOR);
1027         isize = c->width * c->height * vs->client_pf.bytes_per_pixel;
1028         vnc_write_pixels_generic(vs, c->data, isize);
1029         vnc_write(vs, vs->vd->cursor_mask, vs->vd->cursor_msize);
1030         vnc_unlock_output(vs);
1031         return 0;
1032     }
1033     return -1;
1034 }
1035 
1036 static void vnc_dpy_cursor_define(DisplayChangeListener *dcl,
1037                                   QEMUCursor *c)
1038 {
1039     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
1040     VncState *vs;
1041 
1042     cursor_put(vd->cursor);
1043     g_free(vd->cursor_mask);
1044 
1045     vd->cursor = c;
1046     cursor_get(vd->cursor);
1047     vd->cursor_msize = cursor_get_mono_bpl(c) * c->height;
1048     vd->cursor_mask = g_malloc0(vd->cursor_msize);
1049     cursor_get_mono_mask(c, 0, vd->cursor_mask);
1050 
1051     QTAILQ_FOREACH(vs, &vd->clients, next) {
1052         vnc_cursor_define(vs);
1053     }
1054 }
1055 
1056 static int find_and_clear_dirty_height(VncState *vs,
1057                                        int y, int last_x, int x, int height)
1058 {
1059     int h;
1060 
1061     for (h = 1; h < (height - y); h++) {
1062         if (!test_bit(last_x, vs->dirty[y + h])) {
1063             break;
1064         }
1065         bitmap_clear(vs->dirty[y + h], last_x, x - last_x);
1066     }
1067 
1068     return h;
1069 }
1070 
1071 /*
1072  * Figure out how much pending data we should allow in the output
1073  * buffer before we throttle incremental display updates, and/or
1074  * drop audio samples.
1075  *
1076  * We allow for equiv of 1 full display's worth of FB updates,
1077  * and 1 second of audio samples. If audio backlog was larger
1078  * than that the client would already suffering awful audio
1079  * glitches, so dropping samples is no worse really).
1080  */
1081 static void vnc_update_throttle_offset(VncState *vs)
1082 {
1083     size_t offset =
1084         vs->client_width * vs->client_height * vs->client_pf.bytes_per_pixel;
1085 
1086     if (vs->audio_cap) {
1087         int bps;
1088         switch (vs->as.fmt) {
1089         default:
1090         case  AUDIO_FORMAT_U8:
1091         case  AUDIO_FORMAT_S8:
1092             bps = 1;
1093             break;
1094         case  AUDIO_FORMAT_U16:
1095         case  AUDIO_FORMAT_S16:
1096             bps = 2;
1097             break;
1098         case  AUDIO_FORMAT_U32:
1099         case  AUDIO_FORMAT_S32:
1100             bps = 4;
1101             break;
1102         }
1103         offset += vs->as.freq * bps * vs->as.nchannels;
1104     }
1105 
1106     /* Put a floor of 1MB on offset, so that if we have a large pending
1107      * buffer and the display is resized to a small size & back again
1108      * we don't suddenly apply a tiny send limit
1109      */
1110     offset = MAX(offset, 1024 * 1024);
1111 
1112     if (vs->throttle_output_offset != offset) {
1113         trace_vnc_client_throttle_threshold(
1114             vs, vs->ioc, vs->throttle_output_offset, offset, vs->client_width,
1115             vs->client_height, vs->client_pf.bytes_per_pixel, vs->audio_cap);
1116     }
1117 
1118     vs->throttle_output_offset = offset;
1119 }
1120 
1121 static bool vnc_should_update(VncState *vs)
1122 {
1123     switch (vs->update) {
1124     case VNC_STATE_UPDATE_NONE:
1125         break;
1126     case VNC_STATE_UPDATE_INCREMENTAL:
1127         /* Only allow incremental updates if the pending send queue
1128          * is less than the permitted threshold, and the job worker
1129          * is completely idle.
1130          */
1131         if (vs->output.offset < vs->throttle_output_offset &&
1132             vs->job_update == VNC_STATE_UPDATE_NONE) {
1133             return true;
1134         }
1135         trace_vnc_client_throttle_incremental(
1136             vs, vs->ioc, vs->job_update, vs->output.offset);
1137         break;
1138     case VNC_STATE_UPDATE_FORCE:
1139         /* Only allow forced updates if the pending send queue
1140          * does not contain a previous forced update, and the
1141          * job worker is completely idle.
1142          *
1143          * Note this means we'll queue a forced update, even if
1144          * the output buffer size is otherwise over the throttle
1145          * output limit.
1146          */
1147         if (vs->force_update_offset == 0 &&
1148             vs->job_update == VNC_STATE_UPDATE_NONE) {
1149             return true;
1150         }
1151         trace_vnc_client_throttle_forced(
1152             vs, vs->ioc, vs->job_update, vs->force_update_offset);
1153         break;
1154     }
1155     return false;
1156 }
1157 
1158 static int vnc_update_client(VncState *vs, int has_dirty)
1159 {
1160     VncDisplay *vd = vs->vd;
1161     VncJob *job;
1162     int y;
1163     int height, width;
1164     int n = 0;
1165 
1166     if (vs->disconnecting) {
1167         vnc_disconnect_finish(vs);
1168         return 0;
1169     }
1170 
1171     vs->has_dirty += has_dirty;
1172     if (!vnc_should_update(vs)) {
1173         return 0;
1174     }
1175 
1176     if (!vs->has_dirty && vs->update != VNC_STATE_UPDATE_FORCE) {
1177         return 0;
1178     }
1179 
1180     /*
1181      * Send screen updates to the vnc client using the server
1182      * surface and server dirty map.  guest surface updates
1183      * happening in parallel don't disturb us, the next pass will
1184      * send them to the client.
1185      */
1186     job = vnc_job_new(vs);
1187 
1188     height = pixman_image_get_height(vd->server);
1189     width = pixman_image_get_width(vd->server);
1190 
1191     y = 0;
1192     for (;;) {
1193         int x, h;
1194         unsigned long x2;
1195         unsigned long offset = find_next_bit((unsigned long *) &vs->dirty,
1196                                              height * VNC_DIRTY_BPL(vs),
1197                                              y * VNC_DIRTY_BPL(vs));
1198         if (offset == height * VNC_DIRTY_BPL(vs)) {
1199             /* no more dirty bits */
1200             break;
1201         }
1202         y = offset / VNC_DIRTY_BPL(vs);
1203         x = offset % VNC_DIRTY_BPL(vs);
1204         x2 = find_next_zero_bit((unsigned long *) &vs->dirty[y],
1205                                 VNC_DIRTY_BPL(vs), x);
1206         bitmap_clear(vs->dirty[y], x, x2 - x);
1207         h = find_and_clear_dirty_height(vs, y, x, x2, height);
1208         x2 = MIN(x2, width / VNC_DIRTY_PIXELS_PER_BIT);
1209         if (x2 > x) {
1210             n += vnc_job_add_rect(job, x * VNC_DIRTY_PIXELS_PER_BIT, y,
1211                                   (x2 - x) * VNC_DIRTY_PIXELS_PER_BIT, h);
1212         }
1213         if (!x && x2 == width / VNC_DIRTY_PIXELS_PER_BIT) {
1214             y += h;
1215             if (y == height) {
1216                 break;
1217             }
1218         }
1219     }
1220 
1221     vs->job_update = vs->update;
1222     vs->update = VNC_STATE_UPDATE_NONE;
1223     vnc_job_push(job);
1224     vs->has_dirty = 0;
1225     return n;
1226 }
1227 
1228 /* audio */
1229 static void audio_capture_notify(void *opaque, audcnotification_e cmd)
1230 {
1231     VncState *vs = opaque;
1232 
1233     assert(vs->magic == VNC_MAGIC);
1234     switch (cmd) {
1235     case AUD_CNOTIFY_DISABLE:
1236         trace_vnc_msg_server_audio_end(vs, vs->ioc);
1237         vnc_lock_output(vs);
1238         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
1239         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
1240         vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_END);
1241         vnc_unlock_output(vs);
1242         vnc_flush(vs);
1243         break;
1244 
1245     case AUD_CNOTIFY_ENABLE:
1246         trace_vnc_msg_server_audio_begin(vs, vs->ioc);
1247         vnc_lock_output(vs);
1248         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
1249         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
1250         vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_BEGIN);
1251         vnc_unlock_output(vs);
1252         vnc_flush(vs);
1253         break;
1254     }
1255 }
1256 
1257 static void audio_capture_destroy(void *opaque)
1258 {
1259 }
1260 
1261 static void audio_capture(void *opaque, const void *buf, int size)
1262 {
1263     VncState *vs = opaque;
1264 
1265     assert(vs->magic == VNC_MAGIC);
1266     trace_vnc_msg_server_audio_data(vs, vs->ioc, buf, size);
1267     vnc_lock_output(vs);
1268     if (vs->output.offset < vs->throttle_output_offset) {
1269         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
1270         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
1271         vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_DATA);
1272         vnc_write_u32(vs, size);
1273         vnc_write(vs, buf, size);
1274     } else {
1275         trace_vnc_client_throttle_audio(vs, vs->ioc, vs->output.offset);
1276     }
1277     vnc_unlock_output(vs);
1278     vnc_flush(vs);
1279 }
1280 
1281 static void audio_add(VncState *vs)
1282 {
1283     struct audio_capture_ops ops;
1284 
1285     if (vs->audio_cap) {
1286         error_report("audio already running");
1287         return;
1288     }
1289 
1290     ops.notify = audio_capture_notify;
1291     ops.destroy = audio_capture_destroy;
1292     ops.capture = audio_capture;
1293 
1294     vs->audio_cap = AUD_add_capture(vs->vd->audio_state, &vs->as, &ops, vs);
1295     if (!vs->audio_cap) {
1296         error_report("Failed to add audio capture");
1297     }
1298 }
1299 
1300 static void audio_del(VncState *vs)
1301 {
1302     if (vs->audio_cap) {
1303         AUD_del_capture(vs->audio_cap, vs);
1304         vs->audio_cap = NULL;
1305     }
1306 }
1307 
1308 static void vnc_disconnect_start(VncState *vs)
1309 {
1310     if (vs->disconnecting) {
1311         return;
1312     }
1313     trace_vnc_client_disconnect_start(vs, vs->ioc);
1314     vnc_set_share_mode(vs, VNC_SHARE_MODE_DISCONNECTED);
1315     if (vs->ioc_tag) {
1316         g_source_remove(vs->ioc_tag);
1317         vs->ioc_tag = 0;
1318     }
1319     qio_channel_close(vs->ioc, NULL);
1320     vs->disconnecting = TRUE;
1321 }
1322 
1323 void vnc_disconnect_finish(VncState *vs)
1324 {
1325     int i;
1326 
1327     trace_vnc_client_disconnect_finish(vs, vs->ioc);
1328 
1329     vnc_jobs_join(vs); /* Wait encoding jobs */
1330 
1331     vnc_lock_output(vs);
1332     vnc_qmp_event(vs, QAPI_EVENT_VNC_DISCONNECTED);
1333 
1334     buffer_free(&vs->input);
1335     buffer_free(&vs->output);
1336 
1337     qapi_free_VncClientInfo(vs->info);
1338 
1339     vnc_zlib_clear(vs);
1340     vnc_tight_clear(vs);
1341     vnc_zrle_clear(vs);
1342 
1343 #ifdef CONFIG_VNC_SASL
1344     vnc_sasl_client_cleanup(vs);
1345 #endif /* CONFIG_VNC_SASL */
1346     audio_del(vs);
1347     qkbd_state_lift_all_keys(vs->vd->kbd);
1348 
1349     if (vs->mouse_mode_notifier.notify != NULL) {
1350         qemu_remove_mouse_mode_change_notifier(&vs->mouse_mode_notifier);
1351     }
1352     QTAILQ_REMOVE(&vs->vd->clients, vs, next);
1353     if (QTAILQ_EMPTY(&vs->vd->clients)) {
1354         /* last client gone */
1355         vnc_update_server_surface(vs->vd);
1356     }
1357     vnc_unlock_output(vs);
1358 
1359     if (vs->cbpeer.notifier.notify) {
1360         qemu_clipboard_peer_unregister(&vs->cbpeer);
1361     }
1362 
1363     qemu_mutex_destroy(&vs->output_mutex);
1364     if (vs->bh != NULL) {
1365         qemu_bh_delete(vs->bh);
1366     }
1367     buffer_free(&vs->jobs_buffer);
1368 
1369     for (i = 0; i < VNC_STAT_ROWS; ++i) {
1370         g_free(vs->lossy_rect[i]);
1371     }
1372     g_free(vs->lossy_rect);
1373 
1374     object_unref(OBJECT(vs->ioc));
1375     vs->ioc = NULL;
1376     object_unref(OBJECT(vs->sioc));
1377     vs->sioc = NULL;
1378     vs->magic = 0;
1379     g_free(vs->zrle);
1380     g_free(vs->tight);
1381     g_free(vs);
1382 }
1383 
1384 size_t vnc_client_io_error(VncState *vs, ssize_t ret, Error *err)
1385 {
1386     if (ret <= 0) {
1387         if (ret == 0) {
1388             trace_vnc_client_eof(vs, vs->ioc);
1389             vnc_disconnect_start(vs);
1390         } else if (ret != QIO_CHANNEL_ERR_BLOCK) {
1391             trace_vnc_client_io_error(vs, vs->ioc,
1392                                       err ? error_get_pretty(err) : "Unknown");
1393             vnc_disconnect_start(vs);
1394         }
1395 
1396         error_free(err);
1397         return 0;
1398     }
1399     return ret;
1400 }
1401 
1402 
1403 void vnc_client_error(VncState *vs)
1404 {
1405     VNC_DEBUG("Closing down client sock: protocol error\n");
1406     vnc_disconnect_start(vs);
1407 }
1408 
1409 
1410 /*
1411  * Called to write a chunk of data to the client socket. The data may
1412  * be the raw data, or may have already been encoded by SASL.
1413  * The data will be written either straight onto the socket, or
1414  * written via the GNUTLS wrappers, if TLS/SSL encryption is enabled
1415  *
1416  * NB, it is theoretically possible to have 2 layers of encryption,
1417  * both SASL, and this TLS layer. It is highly unlikely in practice
1418  * though, since SASL encryption will typically be a no-op if TLS
1419  * is active
1420  *
1421  * Returns the number of bytes written, which may be less than
1422  * the requested 'datalen' if the socket would block. Returns
1423  * 0 on I/O error, and disconnects the client socket.
1424  */
1425 size_t vnc_client_write_buf(VncState *vs, const uint8_t *data, size_t datalen)
1426 {
1427     Error *err = NULL;
1428     ssize_t ret;
1429     ret = qio_channel_write(vs->ioc, (const char *)data, datalen, &err);
1430     VNC_DEBUG("Wrote wire %p %zd -> %ld\n", data, datalen, ret);
1431     return vnc_client_io_error(vs, ret, err);
1432 }
1433 
1434 
1435 /*
1436  * Called to write buffered data to the client socket, when not
1437  * using any SASL SSF encryption layers. Will write as much data
1438  * as possible without blocking. If all buffered data is written,
1439  * will switch the FD poll() handler back to read monitoring.
1440  *
1441  * Returns the number of bytes written, which may be less than
1442  * the buffered output data if the socket would block.  Returns
1443  * 0 on I/O error, and disconnects the client socket.
1444  */
1445 static size_t vnc_client_write_plain(VncState *vs)
1446 {
1447     size_t offset;
1448     size_t ret;
1449 
1450 #ifdef CONFIG_VNC_SASL
1451     VNC_DEBUG("Write Plain: Pending output %p size %zd offset %zd. Wait SSF %d\n",
1452               vs->output.buffer, vs->output.capacity, vs->output.offset,
1453               vs->sasl.waitWriteSSF);
1454 
1455     if (vs->sasl.conn &&
1456         vs->sasl.runSSF &&
1457         vs->sasl.waitWriteSSF) {
1458         ret = vnc_client_write_buf(vs, vs->output.buffer, vs->sasl.waitWriteSSF);
1459         if (ret)
1460             vs->sasl.waitWriteSSF -= ret;
1461     } else
1462 #endif /* CONFIG_VNC_SASL */
1463         ret = vnc_client_write_buf(vs, vs->output.buffer, vs->output.offset);
1464     if (!ret)
1465         return 0;
1466 
1467     if (ret >= vs->force_update_offset) {
1468         if (vs->force_update_offset != 0) {
1469             trace_vnc_client_unthrottle_forced(vs, vs->ioc);
1470         }
1471         vs->force_update_offset = 0;
1472     } else {
1473         vs->force_update_offset -= ret;
1474     }
1475     offset = vs->output.offset;
1476     buffer_advance(&vs->output, ret);
1477     if (offset >= vs->throttle_output_offset &&
1478         vs->output.offset < vs->throttle_output_offset) {
1479         trace_vnc_client_unthrottle_incremental(vs, vs->ioc, vs->output.offset);
1480     }
1481 
1482     if (vs->output.offset == 0) {
1483         if (vs->ioc_tag) {
1484             g_source_remove(vs->ioc_tag);
1485         }
1486         vs->ioc_tag = qio_channel_add_watch(
1487             vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR,
1488             vnc_client_io, vs, NULL);
1489     }
1490 
1491     return ret;
1492 }
1493 
1494 
1495 /*
1496  * First function called whenever there is data to be written to
1497  * the client socket. Will delegate actual work according to whether
1498  * SASL SSF layers are enabled (thus requiring encryption calls)
1499  */
1500 static void vnc_client_write_locked(VncState *vs)
1501 {
1502 #ifdef CONFIG_VNC_SASL
1503     if (vs->sasl.conn &&
1504         vs->sasl.runSSF &&
1505         !vs->sasl.waitWriteSSF) {
1506         vnc_client_write_sasl(vs);
1507     } else
1508 #endif /* CONFIG_VNC_SASL */
1509     {
1510         vnc_client_write_plain(vs);
1511     }
1512 }
1513 
1514 static void vnc_client_write(VncState *vs)
1515 {
1516     assert(vs->magic == VNC_MAGIC);
1517     vnc_lock_output(vs);
1518     if (vs->output.offset) {
1519         vnc_client_write_locked(vs);
1520     } else if (vs->ioc != NULL) {
1521         if (vs->ioc_tag) {
1522             g_source_remove(vs->ioc_tag);
1523         }
1524         vs->ioc_tag = qio_channel_add_watch(
1525             vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR,
1526             vnc_client_io, vs, NULL);
1527     }
1528     vnc_unlock_output(vs);
1529 }
1530 
1531 void vnc_read_when(VncState *vs, VncReadEvent *func, size_t expecting)
1532 {
1533     vs->read_handler = func;
1534     vs->read_handler_expect = expecting;
1535 }
1536 
1537 
1538 /*
1539  * Called to read a chunk of data from the client socket. The data may
1540  * be the raw data, or may need to be further decoded by SASL.
1541  * The data will be read either straight from to the socket, or
1542  * read via the GNUTLS wrappers, if TLS/SSL encryption is enabled
1543  *
1544  * NB, it is theoretically possible to have 2 layers of encryption,
1545  * both SASL, and this TLS layer. It is highly unlikely in practice
1546  * though, since SASL encryption will typically be a no-op if TLS
1547  * is active
1548  *
1549  * Returns the number of bytes read, which may be less than
1550  * the requested 'datalen' if the socket would block. Returns
1551  * 0 on I/O error or EOF, and disconnects the client socket.
1552  */
1553 size_t vnc_client_read_buf(VncState *vs, uint8_t *data, size_t datalen)
1554 {
1555     ssize_t ret;
1556     Error *err = NULL;
1557     ret = qio_channel_read(vs->ioc, (char *)data, datalen, &err);
1558     VNC_DEBUG("Read wire %p %zd -> %ld\n", data, datalen, ret);
1559     return vnc_client_io_error(vs, ret, err);
1560 }
1561 
1562 
1563 /*
1564  * Called to read data from the client socket to the input buffer,
1565  * when not using any SASL SSF encryption layers. Will read as much
1566  * data as possible without blocking.
1567  *
1568  * Returns the number of bytes read, which may be less than
1569  * the requested 'datalen' if the socket would block. Returns
1570  * 0 on I/O error or EOF, and disconnects the client socket.
1571  */
1572 static size_t vnc_client_read_plain(VncState *vs)
1573 {
1574     size_t ret;
1575     VNC_DEBUG("Read plain %p size %zd offset %zd\n",
1576               vs->input.buffer, vs->input.capacity, vs->input.offset);
1577     buffer_reserve(&vs->input, 4096);
1578     ret = vnc_client_read_buf(vs, buffer_end(&vs->input), 4096);
1579     if (!ret)
1580         return 0;
1581     vs->input.offset += ret;
1582     return ret;
1583 }
1584 
1585 static void vnc_jobs_bh(void *opaque)
1586 {
1587     VncState *vs = opaque;
1588 
1589     assert(vs->magic == VNC_MAGIC);
1590     vnc_jobs_consume_buffer(vs);
1591 }
1592 
1593 /*
1594  * First function called whenever there is more data to be read from
1595  * the client socket. Will delegate actual work according to whether
1596  * SASL SSF layers are enabled (thus requiring decryption calls)
1597  * Returns 0 on success, -1 if client disconnected
1598  */
1599 static int vnc_client_read(VncState *vs)
1600 {
1601     size_t ret;
1602 
1603 #ifdef CONFIG_VNC_SASL
1604     if (vs->sasl.conn && vs->sasl.runSSF)
1605         ret = vnc_client_read_sasl(vs);
1606     else
1607 #endif /* CONFIG_VNC_SASL */
1608         ret = vnc_client_read_plain(vs);
1609     if (!ret) {
1610         if (vs->disconnecting) {
1611             vnc_disconnect_finish(vs);
1612             return -1;
1613         }
1614         return 0;
1615     }
1616 
1617     while (vs->read_handler && vs->input.offset >= vs->read_handler_expect) {
1618         size_t len = vs->read_handler_expect;
1619         int ret;
1620 
1621         ret = vs->read_handler(vs, vs->input.buffer, len);
1622         if (vs->disconnecting) {
1623             vnc_disconnect_finish(vs);
1624             return -1;
1625         }
1626 
1627         if (!ret) {
1628             buffer_advance(&vs->input, len);
1629         } else {
1630             vs->read_handler_expect = ret;
1631         }
1632     }
1633     return 0;
1634 }
1635 
1636 gboolean vnc_client_io(QIOChannel *ioc G_GNUC_UNUSED,
1637                        GIOCondition condition, void *opaque)
1638 {
1639     VncState *vs = opaque;
1640 
1641     assert(vs->magic == VNC_MAGIC);
1642 
1643     if (condition & (G_IO_HUP | G_IO_ERR)) {
1644         vnc_disconnect_start(vs);
1645         return TRUE;
1646     }
1647 
1648     if (condition & G_IO_IN) {
1649         if (vnc_client_read(vs) < 0) {
1650             /* vs is free()ed here */
1651             return TRUE;
1652         }
1653     }
1654     if (condition & G_IO_OUT) {
1655         vnc_client_write(vs);
1656     }
1657 
1658     if (vs->disconnecting) {
1659         if (vs->ioc_tag != 0) {
1660             g_source_remove(vs->ioc_tag);
1661         }
1662         vs->ioc_tag = 0;
1663     }
1664     return TRUE;
1665 }
1666 
1667 
1668 /*
1669  * Scale factor to apply to vs->throttle_output_offset when checking for
1670  * hard limit. Worst case normal usage could be x2, if we have a complete
1671  * incremental update and complete forced update in the output buffer.
1672  * So x3 should be good enough, but we pick x5 to be conservative and thus
1673  * (hopefully) never trigger incorrectly.
1674  */
1675 #define VNC_THROTTLE_OUTPUT_LIMIT_SCALE 5
1676 
1677 void vnc_write(VncState *vs, const void *data, size_t len)
1678 {
1679     assert(vs->magic == VNC_MAGIC);
1680     if (vs->disconnecting) {
1681         return;
1682     }
1683     /* Protection against malicious client/guest to prevent our output
1684      * buffer growing without bound if client stops reading data. This
1685      * should rarely trigger, because we have earlier throttling code
1686      * which stops issuing framebuffer updates and drops audio data
1687      * if the throttle_output_offset value is exceeded. So we only reach
1688      * this higher level if a huge number of pseudo-encodings get
1689      * triggered while data can't be sent on the socket.
1690      *
1691      * NB throttle_output_offset can be zero during early protocol
1692      * handshake, or from the job thread's VncState clone
1693      */
1694     if (vs->throttle_output_offset != 0 &&
1695         (vs->output.offset / VNC_THROTTLE_OUTPUT_LIMIT_SCALE) >
1696         vs->throttle_output_offset) {
1697         trace_vnc_client_output_limit(vs, vs->ioc, vs->output.offset,
1698                                       vs->throttle_output_offset);
1699         vnc_disconnect_start(vs);
1700         return;
1701     }
1702     buffer_reserve(&vs->output, len);
1703 
1704     if (vs->ioc != NULL && buffer_empty(&vs->output)) {
1705         if (vs->ioc_tag) {
1706             g_source_remove(vs->ioc_tag);
1707         }
1708         vs->ioc_tag = qio_channel_add_watch(
1709             vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR | G_IO_OUT,
1710             vnc_client_io, vs, NULL);
1711     }
1712 
1713     buffer_append(&vs->output, data, len);
1714 }
1715 
1716 void vnc_write_s32(VncState *vs, int32_t value)
1717 {
1718     vnc_write_u32(vs, *(uint32_t *)&value);
1719 }
1720 
1721 void vnc_write_u32(VncState *vs, uint32_t value)
1722 {
1723     uint8_t buf[4];
1724 
1725     buf[0] = (value >> 24) & 0xFF;
1726     buf[1] = (value >> 16) & 0xFF;
1727     buf[2] = (value >>  8) & 0xFF;
1728     buf[3] = value & 0xFF;
1729 
1730     vnc_write(vs, buf, 4);
1731 }
1732 
1733 void vnc_write_u16(VncState *vs, uint16_t value)
1734 {
1735     uint8_t buf[2];
1736 
1737     buf[0] = (value >> 8) & 0xFF;
1738     buf[1] = value & 0xFF;
1739 
1740     vnc_write(vs, buf, 2);
1741 }
1742 
1743 void vnc_write_u8(VncState *vs, uint8_t value)
1744 {
1745     vnc_write(vs, (char *)&value, 1);
1746 }
1747 
1748 void vnc_flush(VncState *vs)
1749 {
1750     vnc_lock_output(vs);
1751     if (vs->ioc != NULL && vs->output.offset) {
1752         vnc_client_write_locked(vs);
1753     }
1754     if (vs->disconnecting) {
1755         if (vs->ioc_tag != 0) {
1756             g_source_remove(vs->ioc_tag);
1757         }
1758         vs->ioc_tag = 0;
1759     }
1760     vnc_unlock_output(vs);
1761 }
1762 
1763 static uint8_t read_u8(uint8_t *data, size_t offset)
1764 {
1765     return data[offset];
1766 }
1767 
1768 static uint16_t read_u16(uint8_t *data, size_t offset)
1769 {
1770     return ((data[offset] & 0xFF) << 8) | (data[offset + 1] & 0xFF);
1771 }
1772 
1773 static int32_t read_s32(uint8_t *data, size_t offset)
1774 {
1775     return (int32_t)((data[offset] << 24) | (data[offset + 1] << 16) |
1776                      (data[offset + 2] << 8) | data[offset + 3]);
1777 }
1778 
1779 uint32_t read_u32(uint8_t *data, size_t offset)
1780 {
1781     return ((data[offset] << 24) | (data[offset + 1] << 16) |
1782             (data[offset + 2] << 8) | data[offset + 3]);
1783 }
1784 
1785 static void check_pointer_type_change(Notifier *notifier, void *data)
1786 {
1787     VncState *vs = container_of(notifier, VncState, mouse_mode_notifier);
1788     int absolute = qemu_input_is_absolute();
1789 
1790     if (vnc_has_feature(vs, VNC_FEATURE_POINTER_TYPE_CHANGE) && vs->absolute != absolute) {
1791         vnc_lock_output(vs);
1792         vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1793         vnc_write_u8(vs, 0);
1794         vnc_write_u16(vs, 1);
1795         vnc_framebuffer_update(vs, absolute, 0,
1796                                pixman_image_get_width(vs->vd->server),
1797                                pixman_image_get_height(vs->vd->server),
1798                                VNC_ENCODING_POINTER_TYPE_CHANGE);
1799         vnc_unlock_output(vs);
1800         vnc_flush(vs);
1801     }
1802     vs->absolute = absolute;
1803 }
1804 
1805 static void pointer_event(VncState *vs, int button_mask, int x, int y)
1806 {
1807     static uint32_t bmap[INPUT_BUTTON__MAX] = {
1808         [INPUT_BUTTON_LEFT]       = 0x01,
1809         [INPUT_BUTTON_MIDDLE]     = 0x02,
1810         [INPUT_BUTTON_RIGHT]      = 0x04,
1811         [INPUT_BUTTON_WHEEL_UP]   = 0x08,
1812         [INPUT_BUTTON_WHEEL_DOWN] = 0x10,
1813     };
1814     QemuConsole *con = vs->vd->dcl.con;
1815     int width = pixman_image_get_width(vs->vd->server);
1816     int height = pixman_image_get_height(vs->vd->server);
1817 
1818     if (vs->last_bmask != button_mask) {
1819         qemu_input_update_buttons(con, bmap, vs->last_bmask, button_mask);
1820         vs->last_bmask = button_mask;
1821     }
1822 
1823     if (vs->absolute) {
1824         qemu_input_queue_abs(con, INPUT_AXIS_X, x, 0, width);
1825         qemu_input_queue_abs(con, INPUT_AXIS_Y, y, 0, height);
1826     } else if (vnc_has_feature(vs, VNC_FEATURE_POINTER_TYPE_CHANGE)) {
1827         qemu_input_queue_rel(con, INPUT_AXIS_X, x - 0x7FFF);
1828         qemu_input_queue_rel(con, INPUT_AXIS_Y, y - 0x7FFF);
1829     } else {
1830         if (vs->last_x != -1) {
1831             qemu_input_queue_rel(con, INPUT_AXIS_X, x - vs->last_x);
1832             qemu_input_queue_rel(con, INPUT_AXIS_Y, y - vs->last_y);
1833         }
1834         vs->last_x = x;
1835         vs->last_y = y;
1836     }
1837     qemu_input_event_sync();
1838 }
1839 
1840 static void press_key(VncState *vs, QKeyCode qcode)
1841 {
1842     qkbd_state_key_event(vs->vd->kbd, qcode, true);
1843     qkbd_state_key_event(vs->vd->kbd, qcode, false);
1844 }
1845 
1846 static void vnc_led_state_change(VncState *vs)
1847 {
1848     if (!vnc_has_feature(vs, VNC_FEATURE_LED_STATE)) {
1849         return;
1850     }
1851 
1852     vnc_lock_output(vs);
1853     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1854     vnc_write_u8(vs, 0);
1855     vnc_write_u16(vs, 1);
1856     vnc_framebuffer_update(vs, 0, 0, 1, 1, VNC_ENCODING_LED_STATE);
1857     vnc_write_u8(vs, vs->vd->ledstate);
1858     vnc_unlock_output(vs);
1859     vnc_flush(vs);
1860 }
1861 
1862 static void kbd_leds(void *opaque, int ledstate)
1863 {
1864     VncDisplay *vd = opaque;
1865     VncState *client;
1866 
1867     trace_vnc_key_guest_leds((ledstate & QEMU_CAPS_LOCK_LED),
1868                              (ledstate & QEMU_NUM_LOCK_LED),
1869                              (ledstate & QEMU_SCROLL_LOCK_LED));
1870 
1871     if (ledstate == vd->ledstate) {
1872         return;
1873     }
1874 
1875     vd->ledstate = ledstate;
1876 
1877     QTAILQ_FOREACH(client, &vd->clients, next) {
1878         vnc_led_state_change(client);
1879     }
1880 }
1881 
1882 static void do_key_event(VncState *vs, int down, int keycode, int sym)
1883 {
1884     QKeyCode qcode = qemu_input_key_number_to_qcode(keycode);
1885 
1886     /* QEMU console switch */
1887     switch (qcode) {
1888     case Q_KEY_CODE_1 ... Q_KEY_CODE_9: /* '1' to '9' keys */
1889         if (vs->vd->dcl.con == NULL && down &&
1890             qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_CTRL) &&
1891             qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_ALT)) {
1892             /* Reset the modifiers sent to the current console */
1893             qkbd_state_lift_all_keys(vs->vd->kbd);
1894             console_select(qcode - Q_KEY_CODE_1);
1895             return;
1896         }
1897     default:
1898         break;
1899     }
1900 
1901     /* Turn off the lock state sync logic if the client support the led
1902        state extension.
1903     */
1904     if (down && vs->vd->lock_key_sync &&
1905         !vnc_has_feature(vs, VNC_FEATURE_LED_STATE) &&
1906         keycode_is_keypad(vs->vd->kbd_layout, keycode)) {
1907         /* If the numlock state needs to change then simulate an additional
1908            keypress before sending this one.  This will happen if the user
1909            toggles numlock away from the VNC window.
1910         */
1911         if (keysym_is_numlock(vs->vd->kbd_layout, sym & 0xFFFF)) {
1912             if (!qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_NUMLOCK)) {
1913                 trace_vnc_key_sync_numlock(true);
1914                 press_key(vs, Q_KEY_CODE_NUM_LOCK);
1915             }
1916         } else {
1917             if (qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_NUMLOCK)) {
1918                 trace_vnc_key_sync_numlock(false);
1919                 press_key(vs, Q_KEY_CODE_NUM_LOCK);
1920             }
1921         }
1922     }
1923 
1924     if (down && vs->vd->lock_key_sync &&
1925         !vnc_has_feature(vs, VNC_FEATURE_LED_STATE) &&
1926         ((sym >= 'A' && sym <= 'Z') || (sym >= 'a' && sym <= 'z'))) {
1927         /* If the capslock state needs to change then simulate an additional
1928            keypress before sending this one.  This will happen if the user
1929            toggles capslock away from the VNC window.
1930         */
1931         int uppercase = !!(sym >= 'A' && sym <= 'Z');
1932         bool shift = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_SHIFT);
1933         bool capslock = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_CAPSLOCK);
1934         if (capslock) {
1935             if (uppercase == shift) {
1936                 trace_vnc_key_sync_capslock(false);
1937                 press_key(vs, Q_KEY_CODE_CAPS_LOCK);
1938             }
1939         } else {
1940             if (uppercase != shift) {
1941                 trace_vnc_key_sync_capslock(true);
1942                 press_key(vs, Q_KEY_CODE_CAPS_LOCK);
1943             }
1944         }
1945     }
1946 
1947     qkbd_state_key_event(vs->vd->kbd, qcode, down);
1948     if (!qemu_console_is_graphic(NULL)) {
1949         bool numlock = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_NUMLOCK);
1950         bool control = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_CTRL);
1951         /* QEMU console emulation */
1952         if (down) {
1953             switch (keycode) {
1954             case 0x2a:                          /* Left Shift */
1955             case 0x36:                          /* Right Shift */
1956             case 0x1d:                          /* Left CTRL */
1957             case 0x9d:                          /* Right CTRL */
1958             case 0x38:                          /* Left ALT */
1959             case 0xb8:                          /* Right ALT */
1960                 break;
1961             case 0xc8:
1962                 kbd_put_keysym(QEMU_KEY_UP);
1963                 break;
1964             case 0xd0:
1965                 kbd_put_keysym(QEMU_KEY_DOWN);
1966                 break;
1967             case 0xcb:
1968                 kbd_put_keysym(QEMU_KEY_LEFT);
1969                 break;
1970             case 0xcd:
1971                 kbd_put_keysym(QEMU_KEY_RIGHT);
1972                 break;
1973             case 0xd3:
1974                 kbd_put_keysym(QEMU_KEY_DELETE);
1975                 break;
1976             case 0xc7:
1977                 kbd_put_keysym(QEMU_KEY_HOME);
1978                 break;
1979             case 0xcf:
1980                 kbd_put_keysym(QEMU_KEY_END);
1981                 break;
1982             case 0xc9:
1983                 kbd_put_keysym(QEMU_KEY_PAGEUP);
1984                 break;
1985             case 0xd1:
1986                 kbd_put_keysym(QEMU_KEY_PAGEDOWN);
1987                 break;
1988 
1989             case 0x47:
1990                 kbd_put_keysym(numlock ? '7' : QEMU_KEY_HOME);
1991                 break;
1992             case 0x48:
1993                 kbd_put_keysym(numlock ? '8' : QEMU_KEY_UP);
1994                 break;
1995             case 0x49:
1996                 kbd_put_keysym(numlock ? '9' : QEMU_KEY_PAGEUP);
1997                 break;
1998             case 0x4b:
1999                 kbd_put_keysym(numlock ? '4' : QEMU_KEY_LEFT);
2000                 break;
2001             case 0x4c:
2002                 kbd_put_keysym('5');
2003                 break;
2004             case 0x4d:
2005                 kbd_put_keysym(numlock ? '6' : QEMU_KEY_RIGHT);
2006                 break;
2007             case 0x4f:
2008                 kbd_put_keysym(numlock ? '1' : QEMU_KEY_END);
2009                 break;
2010             case 0x50:
2011                 kbd_put_keysym(numlock ? '2' : QEMU_KEY_DOWN);
2012                 break;
2013             case 0x51:
2014                 kbd_put_keysym(numlock ? '3' : QEMU_KEY_PAGEDOWN);
2015                 break;
2016             case 0x52:
2017                 kbd_put_keysym('0');
2018                 break;
2019             case 0x53:
2020                 kbd_put_keysym(numlock ? '.' : QEMU_KEY_DELETE);
2021                 break;
2022 
2023             case 0xb5:
2024                 kbd_put_keysym('/');
2025                 break;
2026             case 0x37:
2027                 kbd_put_keysym('*');
2028                 break;
2029             case 0x4a:
2030                 kbd_put_keysym('-');
2031                 break;
2032             case 0x4e:
2033                 kbd_put_keysym('+');
2034                 break;
2035             case 0x9c:
2036                 kbd_put_keysym('\n');
2037                 break;
2038 
2039             default:
2040                 if (control) {
2041                     kbd_put_keysym(sym & 0x1f);
2042                 } else {
2043                     kbd_put_keysym(sym);
2044                 }
2045                 break;
2046             }
2047         }
2048     }
2049 }
2050 
2051 static const char *code2name(int keycode)
2052 {
2053     return QKeyCode_str(qemu_input_key_number_to_qcode(keycode));
2054 }
2055 
2056 static void key_event(VncState *vs, int down, uint32_t sym)
2057 {
2058     int keycode;
2059     int lsym = sym;
2060 
2061     if (lsym >= 'A' && lsym <= 'Z' && qemu_console_is_graphic(NULL)) {
2062         lsym = lsym - 'A' + 'a';
2063     }
2064 
2065     keycode = keysym2scancode(vs->vd->kbd_layout, lsym & 0xFFFF,
2066                               vs->vd->kbd, down) & SCANCODE_KEYMASK;
2067     trace_vnc_key_event_map(down, sym, keycode, code2name(keycode));
2068     do_key_event(vs, down, keycode, sym);
2069 }
2070 
2071 static void ext_key_event(VncState *vs, int down,
2072                           uint32_t sym, uint16_t keycode)
2073 {
2074     /* if the user specifies a keyboard layout, always use it */
2075     if (keyboard_layout) {
2076         key_event(vs, down, sym);
2077     } else {
2078         trace_vnc_key_event_ext(down, sym, keycode, code2name(keycode));
2079         do_key_event(vs, down, keycode, sym);
2080     }
2081 }
2082 
2083 static void framebuffer_update_request(VncState *vs, int incremental,
2084                                        int x, int y, int w, int h)
2085 {
2086     if (incremental) {
2087         if (vs->update != VNC_STATE_UPDATE_FORCE) {
2088             vs->update = VNC_STATE_UPDATE_INCREMENTAL;
2089         }
2090     } else {
2091         vs->update = VNC_STATE_UPDATE_FORCE;
2092         vnc_set_area_dirty(vs->dirty, vs->vd, x, y, w, h);
2093         if (vnc_has_feature(vs, VNC_FEATURE_RESIZE_EXT)) {
2094             vnc_desktop_resize_ext(vs, 0);
2095         }
2096     }
2097 }
2098 
2099 static void send_ext_key_event_ack(VncState *vs)
2100 {
2101     vnc_lock_output(vs);
2102     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
2103     vnc_write_u8(vs, 0);
2104     vnc_write_u16(vs, 1);
2105     vnc_framebuffer_update(vs, 0, 0,
2106                            pixman_image_get_width(vs->vd->server),
2107                            pixman_image_get_height(vs->vd->server),
2108                            VNC_ENCODING_EXT_KEY_EVENT);
2109     vnc_unlock_output(vs);
2110     vnc_flush(vs);
2111 }
2112 
2113 static void send_ext_audio_ack(VncState *vs)
2114 {
2115     vnc_lock_output(vs);
2116     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
2117     vnc_write_u8(vs, 0);
2118     vnc_write_u16(vs, 1);
2119     vnc_framebuffer_update(vs, 0, 0,
2120                            pixman_image_get_width(vs->vd->server),
2121                            pixman_image_get_height(vs->vd->server),
2122                            VNC_ENCODING_AUDIO);
2123     vnc_unlock_output(vs);
2124     vnc_flush(vs);
2125 }
2126 
2127 static void send_xvp_message(VncState *vs, int code)
2128 {
2129     vnc_lock_output(vs);
2130     vnc_write_u8(vs, VNC_MSG_SERVER_XVP);
2131     vnc_write_u8(vs, 0); /* pad */
2132     vnc_write_u8(vs, 1); /* version */
2133     vnc_write_u8(vs, code);
2134     vnc_unlock_output(vs);
2135     vnc_flush(vs);
2136 }
2137 
2138 static void set_encodings(VncState *vs, int32_t *encodings, size_t n_encodings)
2139 {
2140     int i;
2141     unsigned int enc = 0;
2142 
2143     vs->features = 0;
2144     vs->vnc_encoding = 0;
2145     vs->tight->compression = 9;
2146     vs->tight->quality = -1; /* Lossless by default */
2147     vs->absolute = -1;
2148 
2149     /*
2150      * Start from the end because the encodings are sent in order of preference.
2151      * This way the preferred encoding (first encoding defined in the array)
2152      * will be set at the end of the loop.
2153      */
2154     for (i = n_encodings - 1; i >= 0; i--) {
2155         enc = encodings[i];
2156         switch (enc) {
2157         case VNC_ENCODING_RAW:
2158             vs->vnc_encoding = enc;
2159             break;
2160         case VNC_ENCODING_HEXTILE:
2161             vs->features |= VNC_FEATURE_HEXTILE_MASK;
2162             vs->vnc_encoding = enc;
2163             break;
2164         case VNC_ENCODING_TIGHT:
2165             vs->features |= VNC_FEATURE_TIGHT_MASK;
2166             vs->vnc_encoding = enc;
2167             break;
2168 #ifdef CONFIG_PNG
2169         case VNC_ENCODING_TIGHT_PNG:
2170             vs->features |= VNC_FEATURE_TIGHT_PNG_MASK;
2171             vs->vnc_encoding = enc;
2172             break;
2173 #endif
2174         case VNC_ENCODING_ZLIB:
2175             /*
2176              * VNC_ENCODING_ZRLE compresses better than VNC_ENCODING_ZLIB.
2177              * So prioritize ZRLE, even if the client hints that it prefers
2178              * ZLIB.
2179              */
2180             if ((vs->features & VNC_FEATURE_ZRLE_MASK) == 0) {
2181                 vs->features |= VNC_FEATURE_ZLIB_MASK;
2182                 vs->vnc_encoding = enc;
2183             }
2184             break;
2185         case VNC_ENCODING_ZRLE:
2186             vs->features |= VNC_FEATURE_ZRLE_MASK;
2187             vs->vnc_encoding = enc;
2188             break;
2189         case VNC_ENCODING_ZYWRLE:
2190             vs->features |= VNC_FEATURE_ZYWRLE_MASK;
2191             vs->vnc_encoding = enc;
2192             break;
2193         case VNC_ENCODING_DESKTOPRESIZE:
2194             vs->features |= VNC_FEATURE_RESIZE_MASK;
2195             break;
2196         case VNC_ENCODING_DESKTOP_RESIZE_EXT:
2197             vs->features |= VNC_FEATURE_RESIZE_EXT_MASK;
2198             break;
2199         case VNC_ENCODING_POINTER_TYPE_CHANGE:
2200             vs->features |= VNC_FEATURE_POINTER_TYPE_CHANGE_MASK;
2201             break;
2202         case VNC_ENCODING_RICH_CURSOR:
2203             vs->features |= VNC_FEATURE_RICH_CURSOR_MASK;
2204             break;
2205         case VNC_ENCODING_ALPHA_CURSOR:
2206             vs->features |= VNC_FEATURE_ALPHA_CURSOR_MASK;
2207             break;
2208         case VNC_ENCODING_EXT_KEY_EVENT:
2209             send_ext_key_event_ack(vs);
2210             break;
2211         case VNC_ENCODING_AUDIO:
2212             send_ext_audio_ack(vs);
2213             break;
2214         case VNC_ENCODING_WMVi:
2215             vs->features |= VNC_FEATURE_WMVI_MASK;
2216             break;
2217         case VNC_ENCODING_LED_STATE:
2218             vs->features |= VNC_FEATURE_LED_STATE_MASK;
2219             break;
2220         case VNC_ENCODING_XVP:
2221             if (vs->vd->power_control) {
2222                 vs->features |= VNC_FEATURE_XVP;
2223                 send_xvp_message(vs, VNC_XVP_CODE_INIT);
2224             }
2225             break;
2226         case VNC_ENCODING_CLIPBOARD_EXT:
2227             vs->features |= VNC_FEATURE_CLIPBOARD_EXT_MASK;
2228             vnc_server_cut_text_caps(vs);
2229             break;
2230         case VNC_ENCODING_COMPRESSLEVEL0 ... VNC_ENCODING_COMPRESSLEVEL0 + 9:
2231             vs->tight->compression = (enc & 0x0F);
2232             break;
2233         case VNC_ENCODING_QUALITYLEVEL0 ... VNC_ENCODING_QUALITYLEVEL0 + 9:
2234             if (vs->vd->lossy) {
2235                 vs->tight->quality = (enc & 0x0F);
2236             }
2237             break;
2238         default:
2239             VNC_DEBUG("Unknown encoding: %d (0x%.8x): %d\n", i, enc, enc);
2240             break;
2241         }
2242     }
2243     vnc_desktop_resize(vs);
2244     check_pointer_type_change(&vs->mouse_mode_notifier, NULL);
2245     vnc_led_state_change(vs);
2246     vnc_cursor_define(vs);
2247 }
2248 
2249 static void set_pixel_conversion(VncState *vs)
2250 {
2251     pixman_format_code_t fmt = qemu_pixman_get_format(&vs->client_pf);
2252 
2253     if (fmt == VNC_SERVER_FB_FORMAT) {
2254         vs->write_pixels = vnc_write_pixels_copy;
2255         vnc_hextile_set_pixel_conversion(vs, 0);
2256     } else {
2257         vs->write_pixels = vnc_write_pixels_generic;
2258         vnc_hextile_set_pixel_conversion(vs, 1);
2259     }
2260 }
2261 
2262 static void send_color_map(VncState *vs)
2263 {
2264     int i;
2265 
2266     vnc_lock_output(vs);
2267     vnc_write_u8(vs, VNC_MSG_SERVER_SET_COLOUR_MAP_ENTRIES);
2268     vnc_write_u8(vs,  0);    /* padding     */
2269     vnc_write_u16(vs, 0);    /* first color */
2270     vnc_write_u16(vs, 256);  /* # of colors */
2271 
2272     for (i = 0; i < 256; i++) {
2273         PixelFormat *pf = &vs->client_pf;
2274 
2275         vnc_write_u16(vs, (((i >> pf->rshift) & pf->rmax) << (16 - pf->rbits)));
2276         vnc_write_u16(vs, (((i >> pf->gshift) & pf->gmax) << (16 - pf->gbits)));
2277         vnc_write_u16(vs, (((i >> pf->bshift) & pf->bmax) << (16 - pf->bbits)));
2278     }
2279     vnc_unlock_output(vs);
2280 }
2281 
2282 static void set_pixel_format(VncState *vs, int bits_per_pixel,
2283                              int big_endian_flag, int true_color_flag,
2284                              int red_max, int green_max, int blue_max,
2285                              int red_shift, int green_shift, int blue_shift)
2286 {
2287     if (!true_color_flag) {
2288         /* Expose a reasonable default 256 color map */
2289         bits_per_pixel = 8;
2290         red_max = 7;
2291         green_max = 7;
2292         blue_max = 3;
2293         red_shift = 0;
2294         green_shift = 3;
2295         blue_shift = 6;
2296     }
2297 
2298     switch (bits_per_pixel) {
2299     case 8:
2300     case 16:
2301     case 32:
2302         break;
2303     default:
2304         vnc_client_error(vs);
2305         return;
2306     }
2307 
2308     vs->client_pf.rmax = red_max ? red_max : 0xFF;
2309     vs->client_pf.rbits = ctpopl(red_max);
2310     vs->client_pf.rshift = red_shift;
2311     vs->client_pf.rmask = red_max << red_shift;
2312     vs->client_pf.gmax = green_max ? green_max : 0xFF;
2313     vs->client_pf.gbits = ctpopl(green_max);
2314     vs->client_pf.gshift = green_shift;
2315     vs->client_pf.gmask = green_max << green_shift;
2316     vs->client_pf.bmax = blue_max ? blue_max : 0xFF;
2317     vs->client_pf.bbits = ctpopl(blue_max);
2318     vs->client_pf.bshift = blue_shift;
2319     vs->client_pf.bmask = blue_max << blue_shift;
2320     vs->client_pf.bits_per_pixel = bits_per_pixel;
2321     vs->client_pf.bytes_per_pixel = bits_per_pixel / 8;
2322     vs->client_pf.depth = bits_per_pixel == 32 ? 24 : bits_per_pixel;
2323     vs->client_be = big_endian_flag;
2324 
2325     if (!true_color_flag) {
2326         send_color_map(vs);
2327     }
2328 
2329     set_pixel_conversion(vs);
2330 
2331     graphic_hw_invalidate(vs->vd->dcl.con);
2332     graphic_hw_update(vs->vd->dcl.con);
2333 }
2334 
2335 static void pixel_format_message (VncState *vs) {
2336     char pad[3] = { 0, 0, 0 };
2337 
2338     vs->client_pf = qemu_default_pixelformat(32);
2339 
2340     vnc_write_u8(vs, vs->client_pf.bits_per_pixel); /* bits-per-pixel */
2341     vnc_write_u8(vs, vs->client_pf.depth); /* depth */
2342 
2343 #if HOST_BIG_ENDIAN
2344     vnc_write_u8(vs, 1);             /* big-endian-flag */
2345 #else
2346     vnc_write_u8(vs, 0);             /* big-endian-flag */
2347 #endif
2348     vnc_write_u8(vs, 1);             /* true-color-flag */
2349     vnc_write_u16(vs, vs->client_pf.rmax);     /* red-max */
2350     vnc_write_u16(vs, vs->client_pf.gmax);     /* green-max */
2351     vnc_write_u16(vs, vs->client_pf.bmax);     /* blue-max */
2352     vnc_write_u8(vs, vs->client_pf.rshift);    /* red-shift */
2353     vnc_write_u8(vs, vs->client_pf.gshift);    /* green-shift */
2354     vnc_write_u8(vs, vs->client_pf.bshift);    /* blue-shift */
2355     vnc_write(vs, pad, 3);           /* padding */
2356 
2357     vnc_hextile_set_pixel_conversion(vs, 0);
2358     vs->write_pixels = vnc_write_pixels_copy;
2359 }
2360 
2361 static void vnc_colordepth(VncState *vs)
2362 {
2363     if (vnc_has_feature(vs, VNC_FEATURE_WMVI)) {
2364         /* Sending a WMVi message to notify the client*/
2365         vnc_lock_output(vs);
2366         vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
2367         vnc_write_u8(vs, 0);
2368         vnc_write_u16(vs, 1); /* number of rects */
2369         vnc_framebuffer_update(vs, 0, 0,
2370                                vs->client_width,
2371                                vs->client_height,
2372                                VNC_ENCODING_WMVi);
2373         pixel_format_message(vs);
2374         vnc_unlock_output(vs);
2375         vnc_flush(vs);
2376     } else {
2377         set_pixel_conversion(vs);
2378     }
2379 }
2380 
2381 static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len)
2382 {
2383     int i;
2384     uint16_t limit;
2385     uint32_t freq;
2386     VncDisplay *vd = vs->vd;
2387 
2388     if (data[0] > 3) {
2389         update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
2390     }
2391 
2392     switch (data[0]) {
2393     case VNC_MSG_CLIENT_SET_PIXEL_FORMAT:
2394         if (len == 1)
2395             return 20;
2396 
2397         set_pixel_format(vs, read_u8(data, 4),
2398                          read_u8(data, 6), read_u8(data, 7),
2399                          read_u16(data, 8), read_u16(data, 10),
2400                          read_u16(data, 12), read_u8(data, 14),
2401                          read_u8(data, 15), read_u8(data, 16));
2402         break;
2403     case VNC_MSG_CLIENT_SET_ENCODINGS:
2404         if (len == 1)
2405             return 4;
2406 
2407         if (len == 4) {
2408             limit = read_u16(data, 2);
2409             if (limit > 0)
2410                 return 4 + (limit * 4);
2411         } else
2412             limit = read_u16(data, 2);
2413 
2414         for (i = 0; i < limit; i++) {
2415             int32_t val = read_s32(data, 4 + (i * 4));
2416             memcpy(data + 4 + (i * 4), &val, sizeof(val));
2417         }
2418 
2419         set_encodings(vs, (int32_t *)(data + 4), limit);
2420         break;
2421     case VNC_MSG_CLIENT_FRAMEBUFFER_UPDATE_REQUEST:
2422         if (len == 1)
2423             return 10;
2424 
2425         framebuffer_update_request(vs,
2426                                    read_u8(data, 1), read_u16(data, 2), read_u16(data, 4),
2427                                    read_u16(data, 6), read_u16(data, 8));
2428         break;
2429     case VNC_MSG_CLIENT_KEY_EVENT:
2430         if (len == 1)
2431             return 8;
2432 
2433         key_event(vs, read_u8(data, 1), read_u32(data, 4));
2434         break;
2435     case VNC_MSG_CLIENT_POINTER_EVENT:
2436         if (len == 1)
2437             return 6;
2438 
2439         pointer_event(vs, read_u8(data, 1), read_u16(data, 2), read_u16(data, 4));
2440         break;
2441     case VNC_MSG_CLIENT_CUT_TEXT:
2442         if (len == 1) {
2443             return 8;
2444         }
2445         if (len == 8) {
2446             uint32_t dlen = abs(read_s32(data, 4));
2447             if (dlen > (1 << 20)) {
2448                 error_report("vnc: client_cut_text msg payload has %u bytes"
2449                              " which exceeds our limit of 1MB.", dlen);
2450                 vnc_client_error(vs);
2451                 break;
2452             }
2453             if (dlen > 0) {
2454                 return 8 + dlen;
2455             }
2456         }
2457 
2458         if (read_s32(data, 4) < 0) {
2459             vnc_client_cut_text_ext(vs, abs(read_s32(data, 4)),
2460                                     read_u32(data, 8), data + 12);
2461             break;
2462         }
2463         vnc_client_cut_text(vs, read_u32(data, 4), data + 8);
2464         break;
2465     case VNC_MSG_CLIENT_XVP:
2466         if (!(vs->features & VNC_FEATURE_XVP)) {
2467             error_report("vnc: xvp client message while disabled");
2468             vnc_client_error(vs);
2469             break;
2470         }
2471         if (len == 1) {
2472             return 4;
2473         }
2474         if (len == 4) {
2475             uint8_t version = read_u8(data, 2);
2476             uint8_t action = read_u8(data, 3);
2477 
2478             if (version != 1) {
2479                 error_report("vnc: xvp client message version %d != 1",
2480                              version);
2481                 vnc_client_error(vs);
2482                 break;
2483             }
2484 
2485             switch (action) {
2486             case VNC_XVP_ACTION_SHUTDOWN:
2487                 qemu_system_powerdown_request();
2488                 break;
2489             case VNC_XVP_ACTION_REBOOT:
2490                 send_xvp_message(vs, VNC_XVP_CODE_FAIL);
2491                 break;
2492             case VNC_XVP_ACTION_RESET:
2493                 qemu_system_reset_request(SHUTDOWN_CAUSE_HOST_QMP_SYSTEM_RESET);
2494                 break;
2495             default:
2496                 send_xvp_message(vs, VNC_XVP_CODE_FAIL);
2497                 break;
2498             }
2499         }
2500         break;
2501     case VNC_MSG_CLIENT_QEMU:
2502         if (len == 1)
2503             return 2;
2504 
2505         switch (read_u8(data, 1)) {
2506         case VNC_MSG_CLIENT_QEMU_EXT_KEY_EVENT:
2507             if (len == 2)
2508                 return 12;
2509 
2510             ext_key_event(vs, read_u16(data, 2),
2511                           read_u32(data, 4), read_u32(data, 8));
2512             break;
2513         case VNC_MSG_CLIENT_QEMU_AUDIO:
2514             if (len == 2)
2515                 return 4;
2516 
2517             switch (read_u16 (data, 2)) {
2518             case VNC_MSG_CLIENT_QEMU_AUDIO_ENABLE:
2519                 trace_vnc_msg_client_audio_enable(vs, vs->ioc);
2520                 audio_add(vs);
2521                 break;
2522             case VNC_MSG_CLIENT_QEMU_AUDIO_DISABLE:
2523                 trace_vnc_msg_client_audio_disable(vs, vs->ioc);
2524                 audio_del(vs);
2525                 break;
2526             case VNC_MSG_CLIENT_QEMU_AUDIO_SET_FORMAT:
2527                 if (len == 4)
2528                     return 10;
2529                 switch (read_u8(data, 4)) {
2530                 case 0: vs->as.fmt = AUDIO_FORMAT_U8; break;
2531                 case 1: vs->as.fmt = AUDIO_FORMAT_S8; break;
2532                 case 2: vs->as.fmt = AUDIO_FORMAT_U16; break;
2533                 case 3: vs->as.fmt = AUDIO_FORMAT_S16; break;
2534                 case 4: vs->as.fmt = AUDIO_FORMAT_U32; break;
2535                 case 5: vs->as.fmt = AUDIO_FORMAT_S32; break;
2536                 default:
2537                     VNC_DEBUG("Invalid audio format %d\n", read_u8(data, 4));
2538                     vnc_client_error(vs);
2539                     break;
2540                 }
2541                 vs->as.nchannels = read_u8(data, 5);
2542                 if (vs->as.nchannels != 1 && vs->as.nchannels != 2) {
2543                     VNC_DEBUG("Invalid audio channel count %d\n",
2544                               read_u8(data, 5));
2545                     vnc_client_error(vs);
2546                     break;
2547                 }
2548                 freq = read_u32(data, 6);
2549                 /* No official limit for protocol, but 48khz is a sensible
2550                  * upper bound for trustworthy clients, and this limit
2551                  * protects calculations involving 'vs->as.freq' later.
2552                  */
2553                 if (freq > 48000) {
2554                     VNC_DEBUG("Invalid audio frequency %u > 48000", freq);
2555                     vnc_client_error(vs);
2556                     break;
2557                 }
2558                 vs->as.freq = freq;
2559                 trace_vnc_msg_client_audio_format(
2560                     vs, vs->ioc, vs->as.fmt, vs->as.nchannels, vs->as.freq);
2561                 break;
2562             default:
2563                 VNC_DEBUG("Invalid audio message %d\n", read_u8(data, 4));
2564                 vnc_client_error(vs);
2565                 break;
2566             }
2567             break;
2568 
2569         default:
2570             VNC_DEBUG("Msg: %d\n", read_u16(data, 0));
2571             vnc_client_error(vs);
2572             break;
2573         }
2574         break;
2575     case VNC_MSG_CLIENT_SET_DESKTOP_SIZE:
2576     {
2577         size_t size;
2578         uint8_t screens;
2579         int w, h;
2580 
2581         if (len < 8) {
2582             return 8;
2583         }
2584 
2585         screens = read_u8(data, 6);
2586         size    = 8 + screens * 16;
2587         if (len < size) {
2588             return size;
2589         }
2590         w = read_u16(data, 2);
2591         h = read_u16(data, 4);
2592 
2593         trace_vnc_msg_client_set_desktop_size(vs, vs->ioc, w, h, screens);
2594         if (dpy_ui_info_supported(vs->vd->dcl.con)) {
2595             QemuUIInfo info;
2596             memset(&info, 0, sizeof(info));
2597             info.width = w;
2598             info.height = h;
2599             dpy_set_ui_info(vs->vd->dcl.con, &info, false);
2600             vnc_desktop_resize_ext(vs, 4 /* Request forwarded */);
2601         } else {
2602             vnc_desktop_resize_ext(vs, 3 /* Invalid screen layout */);
2603         }
2604 
2605         break;
2606     }
2607     default:
2608         VNC_DEBUG("Msg: %d\n", data[0]);
2609         vnc_client_error(vs);
2610         break;
2611     }
2612 
2613     vnc_update_throttle_offset(vs);
2614     vnc_read_when(vs, protocol_client_msg, 1);
2615     return 0;
2616 }
2617 
2618 static int protocol_client_init(VncState *vs, uint8_t *data, size_t len)
2619 {
2620     char buf[1024];
2621     VncShareMode mode;
2622     int size;
2623 
2624     mode = data[0] ? VNC_SHARE_MODE_SHARED : VNC_SHARE_MODE_EXCLUSIVE;
2625     switch (vs->vd->share_policy) {
2626     case VNC_SHARE_POLICY_IGNORE:
2627         /*
2628          * Ignore the shared flag.  Nothing to do here.
2629          *
2630          * Doesn't conform to the rfb spec but is traditional qemu
2631          * behavior, thus left here as option for compatibility
2632          * reasons.
2633          */
2634         break;
2635     case VNC_SHARE_POLICY_ALLOW_EXCLUSIVE:
2636         /*
2637          * Policy: Allow clients ask for exclusive access.
2638          *
2639          * Implementation: When a client asks for exclusive access,
2640          * disconnect all others. Shared connects are allowed as long
2641          * as no exclusive connection exists.
2642          *
2643          * This is how the rfb spec suggests to handle the shared flag.
2644          */
2645         if (mode == VNC_SHARE_MODE_EXCLUSIVE) {
2646             VncState *client;
2647             QTAILQ_FOREACH(client, &vs->vd->clients, next) {
2648                 if (vs == client) {
2649                     continue;
2650                 }
2651                 if (client->share_mode != VNC_SHARE_MODE_EXCLUSIVE &&
2652                     client->share_mode != VNC_SHARE_MODE_SHARED) {
2653                     continue;
2654                 }
2655                 vnc_disconnect_start(client);
2656             }
2657         }
2658         if (mode == VNC_SHARE_MODE_SHARED) {
2659             if (vs->vd->num_exclusive > 0) {
2660                 vnc_disconnect_start(vs);
2661                 return 0;
2662             }
2663         }
2664         break;
2665     case VNC_SHARE_POLICY_FORCE_SHARED:
2666         /*
2667          * Policy: Shared connects only.
2668          * Implementation: Disallow clients asking for exclusive access.
2669          *
2670          * Useful for shared desktop sessions where you don't want
2671          * someone forgetting to say -shared when running the vnc
2672          * client disconnect everybody else.
2673          */
2674         if (mode == VNC_SHARE_MODE_EXCLUSIVE) {
2675             vnc_disconnect_start(vs);
2676             return 0;
2677         }
2678         break;
2679     }
2680     vnc_set_share_mode(vs, mode);
2681 
2682     if (vs->vd->num_shared > vs->vd->connections_limit) {
2683         vnc_disconnect_start(vs);
2684         return 0;
2685     }
2686 
2687     assert(pixman_image_get_width(vs->vd->server) < 65536 &&
2688            pixman_image_get_width(vs->vd->server) >= 0);
2689     assert(pixman_image_get_height(vs->vd->server) < 65536 &&
2690            pixman_image_get_height(vs->vd->server) >= 0);
2691     vs->client_width = pixman_image_get_width(vs->vd->server);
2692     vs->client_height = pixman_image_get_height(vs->vd->server);
2693     vnc_write_u16(vs, vs->client_width);
2694     vnc_write_u16(vs, vs->client_height);
2695 
2696     pixel_format_message(vs);
2697 
2698     if (qemu_name) {
2699         size = snprintf(buf, sizeof(buf), "QEMU (%s)", qemu_name);
2700         if (size > sizeof(buf)) {
2701             size = sizeof(buf);
2702         }
2703     } else {
2704         size = snprintf(buf, sizeof(buf), "QEMU");
2705     }
2706 
2707     vnc_write_u32(vs, size);
2708     vnc_write(vs, buf, size);
2709     vnc_flush(vs);
2710 
2711     vnc_client_cache_auth(vs);
2712     vnc_qmp_event(vs, QAPI_EVENT_VNC_INITIALIZED);
2713 
2714     vnc_read_when(vs, protocol_client_msg, 1);
2715 
2716     return 0;
2717 }
2718 
2719 void start_client_init(VncState *vs)
2720 {
2721     vnc_read_when(vs, protocol_client_init, 1);
2722 }
2723 
2724 static void authentication_failed(VncState *vs)
2725 {
2726     vnc_write_u32(vs, 1); /* Reject auth */
2727     if (vs->minor >= 8) {
2728         static const char err[] = "Authentication failed";
2729         vnc_write_u32(vs, sizeof(err));
2730         vnc_write(vs, err, sizeof(err));
2731     }
2732     vnc_flush(vs);
2733     vnc_client_error(vs);
2734 }
2735 
2736 static void
2737 vnc_munge_des_rfb_key(unsigned char *key, size_t nkey)
2738 {
2739     size_t i;
2740     for (i = 0; i < nkey; i++) {
2741         uint8_t r = key[i];
2742         r = (r & 0xf0) >> 4 | (r & 0x0f) << 4;
2743         r = (r & 0xcc) >> 2 | (r & 0x33) << 2;
2744         r = (r & 0xaa) >> 1 | (r & 0x55) << 1;
2745         key[i] = r;
2746     }
2747 }
2748 
2749 static int protocol_client_auth_vnc(VncState *vs, uint8_t *data, size_t len)
2750 {
2751     unsigned char response[VNC_AUTH_CHALLENGE_SIZE];
2752     size_t i, pwlen;
2753     unsigned char key[8];
2754     time_t now = time(NULL);
2755     QCryptoCipher *cipher = NULL;
2756     Error *err = NULL;
2757 
2758     if (!vs->vd->password) {
2759         trace_vnc_auth_fail(vs, vs->auth, "password is not set", "");
2760         goto reject;
2761     }
2762     if (vs->vd->expires < now) {
2763         trace_vnc_auth_fail(vs, vs->auth, "password is expired", "");
2764         goto reject;
2765     }
2766 
2767     memcpy(response, vs->challenge, VNC_AUTH_CHALLENGE_SIZE);
2768 
2769     /* Calculate the expected challenge response */
2770     pwlen = strlen(vs->vd->password);
2771     for (i=0; i<sizeof(key); i++)
2772         key[i] = i<pwlen ? vs->vd->password[i] : 0;
2773     vnc_munge_des_rfb_key(key, sizeof(key));
2774 
2775     cipher = qcrypto_cipher_new(
2776         QCRYPTO_CIPHER_ALG_DES,
2777         QCRYPTO_CIPHER_MODE_ECB,
2778         key, G_N_ELEMENTS(key),
2779         &err);
2780     if (!cipher) {
2781         trace_vnc_auth_fail(vs, vs->auth, "cannot create cipher",
2782                             error_get_pretty(err));
2783         error_free(err);
2784         goto reject;
2785     }
2786 
2787     if (qcrypto_cipher_encrypt(cipher,
2788                                vs->challenge,
2789                                response,
2790                                VNC_AUTH_CHALLENGE_SIZE,
2791                                &err) < 0) {
2792         trace_vnc_auth_fail(vs, vs->auth, "cannot encrypt challenge response",
2793                             error_get_pretty(err));
2794         error_free(err);
2795         goto reject;
2796     }
2797 
2798     /* Compare expected vs actual challenge response */
2799     if (memcmp(response, data, VNC_AUTH_CHALLENGE_SIZE) != 0) {
2800         trace_vnc_auth_fail(vs, vs->auth, "mis-matched challenge response", "");
2801         goto reject;
2802     } else {
2803         trace_vnc_auth_pass(vs, vs->auth);
2804         vnc_write_u32(vs, 0); /* Accept auth */
2805         vnc_flush(vs);
2806 
2807         start_client_init(vs);
2808     }
2809 
2810     qcrypto_cipher_free(cipher);
2811     return 0;
2812 
2813 reject:
2814     authentication_failed(vs);
2815     qcrypto_cipher_free(cipher);
2816     return 0;
2817 }
2818 
2819 void start_auth_vnc(VncState *vs)
2820 {
2821     Error *err = NULL;
2822 
2823     if (qcrypto_random_bytes(vs->challenge, sizeof(vs->challenge), &err)) {
2824         trace_vnc_auth_fail(vs, vs->auth, "cannot get random bytes",
2825                             error_get_pretty(err));
2826         error_free(err);
2827         authentication_failed(vs);
2828         return;
2829     }
2830 
2831     /* Send client a 'random' challenge */
2832     vnc_write(vs, vs->challenge, sizeof(vs->challenge));
2833     vnc_flush(vs);
2834 
2835     vnc_read_when(vs, protocol_client_auth_vnc, sizeof(vs->challenge));
2836 }
2837 
2838 
2839 static int protocol_client_auth(VncState *vs, uint8_t *data, size_t len)
2840 {
2841     /* We only advertise 1 auth scheme at a time, so client
2842      * must pick the one we sent. Verify this */
2843     if (data[0] != vs->auth) { /* Reject auth */
2844        trace_vnc_auth_reject(vs, vs->auth, (int)data[0]);
2845        authentication_failed(vs);
2846     } else { /* Accept requested auth */
2847        trace_vnc_auth_start(vs, vs->auth);
2848        switch (vs->auth) {
2849        case VNC_AUTH_NONE:
2850            if (vs->minor >= 8) {
2851                vnc_write_u32(vs, 0); /* Accept auth completion */
2852                vnc_flush(vs);
2853            }
2854            trace_vnc_auth_pass(vs, vs->auth);
2855            start_client_init(vs);
2856            break;
2857 
2858        case VNC_AUTH_VNC:
2859            start_auth_vnc(vs);
2860            break;
2861 
2862        case VNC_AUTH_VENCRYPT:
2863            start_auth_vencrypt(vs);
2864            break;
2865 
2866 #ifdef CONFIG_VNC_SASL
2867        case VNC_AUTH_SASL:
2868            start_auth_sasl(vs);
2869            break;
2870 #endif /* CONFIG_VNC_SASL */
2871 
2872        default: /* Should not be possible, but just in case */
2873            trace_vnc_auth_fail(vs, vs->auth, "Unhandled auth method", "");
2874            authentication_failed(vs);
2875        }
2876     }
2877     return 0;
2878 }
2879 
2880 static int protocol_version(VncState *vs, uint8_t *version, size_t len)
2881 {
2882     char local[13];
2883 
2884     memcpy(local, version, 12);
2885     local[12] = 0;
2886 
2887     if (sscanf(local, "RFB %03d.%03d\n", &vs->major, &vs->minor) != 2) {
2888         VNC_DEBUG("Malformed protocol version %s\n", local);
2889         vnc_client_error(vs);
2890         return 0;
2891     }
2892     VNC_DEBUG("Client request protocol version %d.%d\n", vs->major, vs->minor);
2893     if (vs->major != 3 ||
2894         (vs->minor != 3 &&
2895          vs->minor != 4 &&
2896          vs->minor != 5 &&
2897          vs->minor != 7 &&
2898          vs->minor != 8)) {
2899         VNC_DEBUG("Unsupported client version\n");
2900         vnc_write_u32(vs, VNC_AUTH_INVALID);
2901         vnc_flush(vs);
2902         vnc_client_error(vs);
2903         return 0;
2904     }
2905     /* Some broken clients report v3.4 or v3.5, which spec requires to be treated
2906      * as equivalent to v3.3 by servers
2907      */
2908     if (vs->minor == 4 || vs->minor == 5)
2909         vs->minor = 3;
2910 
2911     if (vs->minor == 3) {
2912         trace_vnc_auth_start(vs, vs->auth);
2913         if (vs->auth == VNC_AUTH_NONE) {
2914             vnc_write_u32(vs, vs->auth);
2915             vnc_flush(vs);
2916             trace_vnc_auth_pass(vs, vs->auth);
2917             start_client_init(vs);
2918        } else if (vs->auth == VNC_AUTH_VNC) {
2919             VNC_DEBUG("Tell client VNC auth\n");
2920             vnc_write_u32(vs, vs->auth);
2921             vnc_flush(vs);
2922             start_auth_vnc(vs);
2923        } else {
2924             trace_vnc_auth_fail(vs, vs->auth,
2925                                 "Unsupported auth method for v3.3", "");
2926             vnc_write_u32(vs, VNC_AUTH_INVALID);
2927             vnc_flush(vs);
2928             vnc_client_error(vs);
2929        }
2930     } else {
2931         vnc_write_u8(vs, 1); /* num auth */
2932         vnc_write_u8(vs, vs->auth);
2933         vnc_read_when(vs, protocol_client_auth, 1);
2934         vnc_flush(vs);
2935     }
2936 
2937     return 0;
2938 }
2939 
2940 static VncRectStat *vnc_stat_rect(VncDisplay *vd, int x, int y)
2941 {
2942     struct VncSurface *vs = &vd->guest;
2943 
2944     return &vs->stats[y / VNC_STAT_RECT][x / VNC_STAT_RECT];
2945 }
2946 
2947 void vnc_sent_lossy_rect(VncState *vs, int x, int y, int w, int h)
2948 {
2949     int i, j;
2950 
2951     w = (x + w) / VNC_STAT_RECT;
2952     h = (y + h) / VNC_STAT_RECT;
2953     x /= VNC_STAT_RECT;
2954     y /= VNC_STAT_RECT;
2955 
2956     for (j = y; j <= h; j++) {
2957         for (i = x; i <= w; i++) {
2958             vs->lossy_rect[j][i] = 1;
2959         }
2960     }
2961 }
2962 
2963 static int vnc_refresh_lossy_rect(VncDisplay *vd, int x, int y)
2964 {
2965     VncState *vs;
2966     int sty = y / VNC_STAT_RECT;
2967     int stx = x / VNC_STAT_RECT;
2968     int has_dirty = 0;
2969 
2970     y = QEMU_ALIGN_DOWN(y, VNC_STAT_RECT);
2971     x = QEMU_ALIGN_DOWN(x, VNC_STAT_RECT);
2972 
2973     QTAILQ_FOREACH(vs, &vd->clients, next) {
2974         int j;
2975 
2976         /* kernel send buffers are full -> refresh later */
2977         if (vs->output.offset) {
2978             continue;
2979         }
2980 
2981         if (!vs->lossy_rect[sty][stx]) {
2982             continue;
2983         }
2984 
2985         vs->lossy_rect[sty][stx] = 0;
2986         for (j = 0; j < VNC_STAT_RECT; ++j) {
2987             bitmap_set(vs->dirty[y + j],
2988                        x / VNC_DIRTY_PIXELS_PER_BIT,
2989                        VNC_STAT_RECT / VNC_DIRTY_PIXELS_PER_BIT);
2990         }
2991         has_dirty++;
2992     }
2993 
2994     return has_dirty;
2995 }
2996 
2997 static int vnc_update_stats(VncDisplay *vd,  struct timeval * tv)
2998 {
2999     int width = MIN(pixman_image_get_width(vd->guest.fb),
3000                     pixman_image_get_width(vd->server));
3001     int height = MIN(pixman_image_get_height(vd->guest.fb),
3002                      pixman_image_get_height(vd->server));
3003     int x, y;
3004     struct timeval res;
3005     int has_dirty = 0;
3006 
3007     for (y = 0; y < height; y += VNC_STAT_RECT) {
3008         for (x = 0; x < width; x += VNC_STAT_RECT) {
3009             VncRectStat *rect = vnc_stat_rect(vd, x, y);
3010 
3011             rect->updated = false;
3012         }
3013     }
3014 
3015     qemu_timersub(tv, &VNC_REFRESH_STATS, &res);
3016 
3017     if (timercmp(&vd->guest.last_freq_check, &res, >)) {
3018         return has_dirty;
3019     }
3020     vd->guest.last_freq_check = *tv;
3021 
3022     for (y = 0; y < height; y += VNC_STAT_RECT) {
3023         for (x = 0; x < width; x += VNC_STAT_RECT) {
3024             VncRectStat *rect= vnc_stat_rect(vd, x, y);
3025             int count = ARRAY_SIZE(rect->times);
3026             struct timeval min, max;
3027 
3028             if (!timerisset(&rect->times[count - 1])) {
3029                 continue ;
3030             }
3031 
3032             max = rect->times[(rect->idx + count - 1) % count];
3033             qemu_timersub(tv, &max, &res);
3034 
3035             if (timercmp(&res, &VNC_REFRESH_LOSSY, >)) {
3036                 rect->freq = 0;
3037                 has_dirty += vnc_refresh_lossy_rect(vd, x, y);
3038                 memset(rect->times, 0, sizeof (rect->times));
3039                 continue ;
3040             }
3041 
3042             min = rect->times[rect->idx];
3043             max = rect->times[(rect->idx + count - 1) % count];
3044             qemu_timersub(&max, &min, &res);
3045 
3046             rect->freq = res.tv_sec + res.tv_usec / 1000000.;
3047             rect->freq /= count;
3048             rect->freq = 1. / rect->freq;
3049         }
3050     }
3051     return has_dirty;
3052 }
3053 
3054 double vnc_update_freq(VncState *vs, int x, int y, int w, int h)
3055 {
3056     int i, j;
3057     double total = 0;
3058     int num = 0;
3059 
3060     x =  QEMU_ALIGN_DOWN(x, VNC_STAT_RECT);
3061     y =  QEMU_ALIGN_DOWN(y, VNC_STAT_RECT);
3062 
3063     for (j = y; j <= y + h; j += VNC_STAT_RECT) {
3064         for (i = x; i <= x + w; i += VNC_STAT_RECT) {
3065             total += vnc_stat_rect(vs->vd, i, j)->freq;
3066             num++;
3067         }
3068     }
3069 
3070     if (num) {
3071         return total / num;
3072     } else {
3073         return 0;
3074     }
3075 }
3076 
3077 static void vnc_rect_updated(VncDisplay *vd, int x, int y, struct timeval * tv)
3078 {
3079     VncRectStat *rect;
3080 
3081     rect = vnc_stat_rect(vd, x, y);
3082     if (rect->updated) {
3083         return ;
3084     }
3085     rect->times[rect->idx] = *tv;
3086     rect->idx = (rect->idx + 1) % ARRAY_SIZE(rect->times);
3087     rect->updated = true;
3088 }
3089 
3090 static int vnc_refresh_server_surface(VncDisplay *vd)
3091 {
3092     int width = MIN(pixman_image_get_width(vd->guest.fb),
3093                     pixman_image_get_width(vd->server));
3094     int height = MIN(pixman_image_get_height(vd->guest.fb),
3095                      pixman_image_get_height(vd->server));
3096     int cmp_bytes, server_stride, line_bytes, guest_ll, guest_stride, y = 0;
3097     uint8_t *guest_row0 = NULL, *server_row0;
3098     VncState *vs;
3099     int has_dirty = 0;
3100     pixman_image_t *tmpbuf = NULL;
3101     unsigned long offset;
3102     int x;
3103     uint8_t *guest_ptr, *server_ptr;
3104 
3105     struct timeval tv = { 0, 0 };
3106 
3107     if (!vd->non_adaptive) {
3108         gettimeofday(&tv, NULL);
3109         has_dirty = vnc_update_stats(vd, &tv);
3110     }
3111 
3112     offset = find_next_bit((unsigned long *) &vd->guest.dirty,
3113                            height * VNC_DIRTY_BPL(&vd->guest), 0);
3114     if (offset == height * VNC_DIRTY_BPL(&vd->guest)) {
3115         /* no dirty bits in guest surface */
3116         return has_dirty;
3117     }
3118 
3119     /*
3120      * Walk through the guest dirty map.
3121      * Check and copy modified bits from guest to server surface.
3122      * Update server dirty map.
3123      */
3124     server_row0 = (uint8_t *)pixman_image_get_data(vd->server);
3125     server_stride = guest_stride = guest_ll =
3126         pixman_image_get_stride(vd->server);
3127     cmp_bytes = MIN(VNC_DIRTY_PIXELS_PER_BIT * VNC_SERVER_FB_BYTES,
3128                     server_stride);
3129     if (vd->guest.format != VNC_SERVER_FB_FORMAT) {
3130         int width = pixman_image_get_width(vd->server);
3131         tmpbuf = qemu_pixman_linebuf_create(VNC_SERVER_FB_FORMAT, width);
3132     } else {
3133         int guest_bpp =
3134             PIXMAN_FORMAT_BPP(pixman_image_get_format(vd->guest.fb));
3135         guest_row0 = (uint8_t *)pixman_image_get_data(vd->guest.fb);
3136         guest_stride = pixman_image_get_stride(vd->guest.fb);
3137         guest_ll = pixman_image_get_width(vd->guest.fb)
3138                    * DIV_ROUND_UP(guest_bpp, 8);
3139     }
3140     line_bytes = MIN(server_stride, guest_ll);
3141 
3142     for (;;) {
3143         y = offset / VNC_DIRTY_BPL(&vd->guest);
3144         x = offset % VNC_DIRTY_BPL(&vd->guest);
3145 
3146         server_ptr = server_row0 + y * server_stride + x * cmp_bytes;
3147 
3148         if (vd->guest.format != VNC_SERVER_FB_FORMAT) {
3149             qemu_pixman_linebuf_fill(tmpbuf, vd->guest.fb, width, 0, y);
3150             guest_ptr = (uint8_t *)pixman_image_get_data(tmpbuf);
3151         } else {
3152             guest_ptr = guest_row0 + y * guest_stride;
3153         }
3154         guest_ptr += x * cmp_bytes;
3155 
3156         for (; x < DIV_ROUND_UP(width, VNC_DIRTY_PIXELS_PER_BIT);
3157              x++, guest_ptr += cmp_bytes, server_ptr += cmp_bytes) {
3158             int _cmp_bytes = cmp_bytes;
3159             if (!test_and_clear_bit(x, vd->guest.dirty[y])) {
3160                 continue;
3161             }
3162             if ((x + 1) * cmp_bytes > line_bytes) {
3163                 _cmp_bytes = line_bytes - x * cmp_bytes;
3164             }
3165             assert(_cmp_bytes >= 0);
3166             if (memcmp(server_ptr, guest_ptr, _cmp_bytes) == 0) {
3167                 continue;
3168             }
3169             memcpy(server_ptr, guest_ptr, _cmp_bytes);
3170             if (!vd->non_adaptive) {
3171                 vnc_rect_updated(vd, x * VNC_DIRTY_PIXELS_PER_BIT,
3172                                  y, &tv);
3173             }
3174             QTAILQ_FOREACH(vs, &vd->clients, next) {
3175                 set_bit(x, vs->dirty[y]);
3176             }
3177             has_dirty++;
3178         }
3179 
3180         y++;
3181         offset = find_next_bit((unsigned long *) &vd->guest.dirty,
3182                                height * VNC_DIRTY_BPL(&vd->guest),
3183                                y * VNC_DIRTY_BPL(&vd->guest));
3184         if (offset == height * VNC_DIRTY_BPL(&vd->guest)) {
3185             /* no more dirty bits */
3186             break;
3187         }
3188     }
3189     qemu_pixman_image_unref(tmpbuf);
3190     return has_dirty;
3191 }
3192 
3193 static void vnc_refresh(DisplayChangeListener *dcl)
3194 {
3195     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
3196     VncState *vs, *vn;
3197     int has_dirty, rects = 0;
3198 
3199     if (QTAILQ_EMPTY(&vd->clients)) {
3200         update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_MAX);
3201         return;
3202     }
3203 
3204     graphic_hw_update(vd->dcl.con);
3205 
3206     if (vnc_trylock_display(vd)) {
3207         update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
3208         return;
3209     }
3210 
3211     has_dirty = vnc_refresh_server_surface(vd);
3212     vnc_unlock_display(vd);
3213 
3214     QTAILQ_FOREACH_SAFE(vs, &vd->clients, next, vn) {
3215         rects += vnc_update_client(vs, has_dirty);
3216         /* vs might be free()ed here */
3217     }
3218 
3219     if (has_dirty && rects) {
3220         vd->dcl.update_interval /= 2;
3221         if (vd->dcl.update_interval < VNC_REFRESH_INTERVAL_BASE) {
3222             vd->dcl.update_interval = VNC_REFRESH_INTERVAL_BASE;
3223         }
3224     } else {
3225         vd->dcl.update_interval += VNC_REFRESH_INTERVAL_INC;
3226         if (vd->dcl.update_interval > VNC_REFRESH_INTERVAL_MAX) {
3227             vd->dcl.update_interval = VNC_REFRESH_INTERVAL_MAX;
3228         }
3229     }
3230 }
3231 
3232 static void vnc_connect(VncDisplay *vd, QIOChannelSocket *sioc,
3233                         bool skipauth, bool websocket)
3234 {
3235     VncState *vs = g_new0(VncState, 1);
3236     bool first_client = QTAILQ_EMPTY(&vd->clients);
3237     int i;
3238 
3239     trace_vnc_client_connect(vs, sioc);
3240     vs->zrle = g_new0(VncZrle, 1);
3241     vs->tight = g_new0(VncTight, 1);
3242     vs->magic = VNC_MAGIC;
3243     vs->sioc = sioc;
3244     object_ref(OBJECT(vs->sioc));
3245     vs->ioc = QIO_CHANNEL(sioc);
3246     object_ref(OBJECT(vs->ioc));
3247     vs->vd = vd;
3248 
3249     buffer_init(&vs->input,          "vnc-input/%p", sioc);
3250     buffer_init(&vs->output,         "vnc-output/%p", sioc);
3251     buffer_init(&vs->jobs_buffer,    "vnc-jobs_buffer/%p", sioc);
3252 
3253     buffer_init(&vs->tight->tight,    "vnc-tight/%p", sioc);
3254     buffer_init(&vs->tight->zlib,     "vnc-tight-zlib/%p", sioc);
3255     buffer_init(&vs->tight->gradient, "vnc-tight-gradient/%p", sioc);
3256 #ifdef CONFIG_VNC_JPEG
3257     buffer_init(&vs->tight->jpeg,     "vnc-tight-jpeg/%p", sioc);
3258 #endif
3259 #ifdef CONFIG_PNG
3260     buffer_init(&vs->tight->png,      "vnc-tight-png/%p", sioc);
3261 #endif
3262     buffer_init(&vs->zlib.zlib,      "vnc-zlib/%p", sioc);
3263     buffer_init(&vs->zrle->zrle,      "vnc-zrle/%p", sioc);
3264     buffer_init(&vs->zrle->fb,        "vnc-zrle-fb/%p", sioc);
3265     buffer_init(&vs->zrle->zlib,      "vnc-zrle-zlib/%p", sioc);
3266 
3267     if (skipauth) {
3268         vs->auth = VNC_AUTH_NONE;
3269         vs->subauth = VNC_AUTH_INVALID;
3270     } else {
3271         if (websocket) {
3272             vs->auth = vd->ws_auth;
3273             vs->subauth = VNC_AUTH_INVALID;
3274         } else {
3275             vs->auth = vd->auth;
3276             vs->subauth = vd->subauth;
3277         }
3278     }
3279     VNC_DEBUG("Client sioc=%p ws=%d auth=%d subauth=%d\n",
3280               sioc, websocket, vs->auth, vs->subauth);
3281 
3282     vs->lossy_rect = g_malloc0(VNC_STAT_ROWS * sizeof (*vs->lossy_rect));
3283     for (i = 0; i < VNC_STAT_ROWS; ++i) {
3284         vs->lossy_rect[i] = g_new0(uint8_t, VNC_STAT_COLS);
3285     }
3286 
3287     VNC_DEBUG("New client on socket %p\n", vs->sioc);
3288     update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
3289     qio_channel_set_blocking(vs->ioc, false, NULL);
3290     if (vs->ioc_tag) {
3291         g_source_remove(vs->ioc_tag);
3292     }
3293     if (websocket) {
3294         vs->websocket = 1;
3295         if (vd->tlscreds) {
3296             vs->ioc_tag = qio_channel_add_watch(
3297                 vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR,
3298                 vncws_tls_handshake_io, vs, NULL);
3299         } else {
3300             vs->ioc_tag = qio_channel_add_watch(
3301                 vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR,
3302                 vncws_handshake_io, vs, NULL);
3303         }
3304     } else {
3305         vs->ioc_tag = qio_channel_add_watch(
3306             vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR,
3307             vnc_client_io, vs, NULL);
3308     }
3309 
3310     vnc_client_cache_addr(vs);
3311     vnc_qmp_event(vs, QAPI_EVENT_VNC_CONNECTED);
3312     vnc_set_share_mode(vs, VNC_SHARE_MODE_CONNECTING);
3313 
3314     vs->last_x = -1;
3315     vs->last_y = -1;
3316 
3317     vs->as.freq = 44100;
3318     vs->as.nchannels = 2;
3319     vs->as.fmt = AUDIO_FORMAT_S16;
3320     vs->as.endianness = 0;
3321 
3322     qemu_mutex_init(&vs->output_mutex);
3323     vs->bh = qemu_bh_new(vnc_jobs_bh, vs);
3324 
3325     QTAILQ_INSERT_TAIL(&vd->clients, vs, next);
3326     if (first_client) {
3327         vnc_update_server_surface(vd);
3328     }
3329 
3330     graphic_hw_update(vd->dcl.con);
3331 
3332     if (!vs->websocket) {
3333         vnc_start_protocol(vs);
3334     }
3335 
3336     if (vd->num_connecting > vd->connections_limit) {
3337         QTAILQ_FOREACH(vs, &vd->clients, next) {
3338             if (vs->share_mode == VNC_SHARE_MODE_CONNECTING) {
3339                 vnc_disconnect_start(vs);
3340                 return;
3341             }
3342         }
3343     }
3344 }
3345 
3346 void vnc_start_protocol(VncState *vs)
3347 {
3348     vnc_write(vs, "RFB 003.008\n", 12);
3349     vnc_flush(vs);
3350     vnc_read_when(vs, protocol_version, 12);
3351 
3352     vs->mouse_mode_notifier.notify = check_pointer_type_change;
3353     qemu_add_mouse_mode_change_notifier(&vs->mouse_mode_notifier);
3354 }
3355 
3356 static void vnc_listen_io(QIONetListener *listener,
3357                           QIOChannelSocket *cioc,
3358                           void *opaque)
3359 {
3360     VncDisplay *vd = opaque;
3361     bool isWebsock = listener == vd->wslistener;
3362 
3363     qio_channel_set_name(QIO_CHANNEL(cioc),
3364                          isWebsock ? "vnc-ws-server" : "vnc-server");
3365     qio_channel_set_delay(QIO_CHANNEL(cioc), false);
3366     vnc_connect(vd, cioc, false, isWebsock);
3367 }
3368 
3369 static const DisplayChangeListenerOps dcl_ops = {
3370     .dpy_name             = "vnc",
3371     .dpy_refresh          = vnc_refresh,
3372     .dpy_gfx_update       = vnc_dpy_update,
3373     .dpy_gfx_switch       = vnc_dpy_switch,
3374     .dpy_gfx_check_format = qemu_pixman_check_format,
3375     .dpy_mouse_set        = vnc_mouse_set,
3376     .dpy_cursor_define    = vnc_dpy_cursor_define,
3377 };
3378 
3379 void vnc_display_init(const char *id, Error **errp)
3380 {
3381     VncDisplay *vd;
3382 
3383     if (vnc_display_find(id) != NULL) {
3384         return;
3385     }
3386     vd = g_malloc0(sizeof(*vd));
3387 
3388     vd->id = strdup(id);
3389     QTAILQ_INSERT_TAIL(&vnc_displays, vd, next);
3390 
3391     QTAILQ_INIT(&vd->clients);
3392     vd->expires = TIME_MAX;
3393 
3394     if (keyboard_layout) {
3395         trace_vnc_key_map_init(keyboard_layout);
3396         vd->kbd_layout = init_keyboard_layout(name2keysym,
3397                                               keyboard_layout, errp);
3398     } else {
3399         vd->kbd_layout = init_keyboard_layout(name2keysym, "en-us", errp);
3400     }
3401 
3402     if (!vd->kbd_layout) {
3403         return;
3404     }
3405 
3406     vd->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
3407     vd->connections_limit = 32;
3408 
3409     qemu_mutex_init(&vd->mutex);
3410     vnc_start_worker_thread();
3411 
3412     vd->dcl.ops = &dcl_ops;
3413     register_displaychangelistener(&vd->dcl);
3414     vd->kbd = qkbd_state_init(vd->dcl.con);
3415 }
3416 
3417 
3418 static void vnc_display_close(VncDisplay *vd)
3419 {
3420     if (!vd) {
3421         return;
3422     }
3423     vd->is_unix = false;
3424 
3425     if (vd->listener) {
3426         qio_net_listener_disconnect(vd->listener);
3427         object_unref(OBJECT(vd->listener));
3428     }
3429     vd->listener = NULL;
3430 
3431     if (vd->wslistener) {
3432         qio_net_listener_disconnect(vd->wslistener);
3433         object_unref(OBJECT(vd->wslistener));
3434     }
3435     vd->wslistener = NULL;
3436 
3437     vd->auth = VNC_AUTH_INVALID;
3438     vd->subauth = VNC_AUTH_INVALID;
3439     if (vd->tlscreds) {
3440         object_unref(OBJECT(vd->tlscreds));
3441         vd->tlscreds = NULL;
3442     }
3443     if (vd->tlsauthz) {
3444         object_unparent(OBJECT(vd->tlsauthz));
3445         vd->tlsauthz = NULL;
3446     }
3447     g_free(vd->tlsauthzid);
3448     vd->tlsauthzid = NULL;
3449     if (vd->lock_key_sync) {
3450         qemu_remove_led_event_handler(vd->led);
3451         vd->led = NULL;
3452     }
3453 #ifdef CONFIG_VNC_SASL
3454     if (vd->sasl.authz) {
3455         object_unparent(OBJECT(vd->sasl.authz));
3456         vd->sasl.authz = NULL;
3457     }
3458     g_free(vd->sasl.authzid);
3459     vd->sasl.authzid = NULL;
3460 #endif
3461 }
3462 
3463 int vnc_display_password(const char *id, const char *password)
3464 {
3465     VncDisplay *vd = vnc_display_find(id);
3466 
3467     if (!vd) {
3468         return -EINVAL;
3469     }
3470     if (vd->auth == VNC_AUTH_NONE) {
3471         error_printf_unless_qmp("If you want use passwords please enable "
3472                                 "password auth using '-vnc ${dpy},password'.\n");
3473         return -EINVAL;
3474     }
3475 
3476     g_free(vd->password);
3477     vd->password = g_strdup(password);
3478 
3479     return 0;
3480 }
3481 
3482 int vnc_display_pw_expire(const char *id, time_t expires)
3483 {
3484     VncDisplay *vd = vnc_display_find(id);
3485 
3486     if (!vd) {
3487         return -EINVAL;
3488     }
3489 
3490     vd->expires = expires;
3491     return 0;
3492 }
3493 
3494 static void vnc_display_print_local_addr(VncDisplay *vd)
3495 {
3496     SocketAddress *addr;
3497 
3498     if (!vd->listener || !vd->listener->nsioc) {
3499         return;
3500     }
3501 
3502     addr = qio_channel_socket_get_local_address(vd->listener->sioc[0], NULL);
3503     if (!addr) {
3504         return;
3505     }
3506 
3507     if (addr->type != SOCKET_ADDRESS_TYPE_INET) {
3508         qapi_free_SocketAddress(addr);
3509         return;
3510     }
3511     error_printf_unless_qmp("VNC server running on %s:%s\n",
3512                             addr->u.inet.host,
3513                             addr->u.inet.port);
3514     qapi_free_SocketAddress(addr);
3515 }
3516 
3517 static QemuOptsList qemu_vnc_opts = {
3518     .name = "vnc",
3519     .head = QTAILQ_HEAD_INITIALIZER(qemu_vnc_opts.head),
3520     .implied_opt_name = "vnc",
3521     .desc = {
3522         {
3523             .name = "vnc",
3524             .type = QEMU_OPT_STRING,
3525         },{
3526             .name = "websocket",
3527             .type = QEMU_OPT_STRING,
3528         },{
3529             .name = "tls-creds",
3530             .type = QEMU_OPT_STRING,
3531         },{
3532             .name = "share",
3533             .type = QEMU_OPT_STRING,
3534         },{
3535             .name = "display",
3536             .type = QEMU_OPT_STRING,
3537         },{
3538             .name = "head",
3539             .type = QEMU_OPT_NUMBER,
3540         },{
3541             .name = "connections",
3542             .type = QEMU_OPT_NUMBER,
3543         },{
3544             .name = "to",
3545             .type = QEMU_OPT_NUMBER,
3546         },{
3547             .name = "ipv4",
3548             .type = QEMU_OPT_BOOL,
3549         },{
3550             .name = "ipv6",
3551             .type = QEMU_OPT_BOOL,
3552         },{
3553             .name = "password",
3554             .type = QEMU_OPT_BOOL,
3555         },{
3556             .name = "password-secret",
3557             .type = QEMU_OPT_STRING,
3558         },{
3559             .name = "reverse",
3560             .type = QEMU_OPT_BOOL,
3561         },{
3562             .name = "lock-key-sync",
3563             .type = QEMU_OPT_BOOL,
3564         },{
3565             .name = "key-delay-ms",
3566             .type = QEMU_OPT_NUMBER,
3567         },{
3568             .name = "sasl",
3569             .type = QEMU_OPT_BOOL,
3570         },{
3571             .name = "tls-authz",
3572             .type = QEMU_OPT_STRING,
3573         },{
3574             .name = "sasl-authz",
3575             .type = QEMU_OPT_STRING,
3576         },{
3577             .name = "lossy",
3578             .type = QEMU_OPT_BOOL,
3579         },{
3580             .name = "non-adaptive",
3581             .type = QEMU_OPT_BOOL,
3582         },{
3583             .name = "audiodev",
3584             .type = QEMU_OPT_STRING,
3585         },{
3586             .name = "power-control",
3587             .type = QEMU_OPT_BOOL,
3588         },
3589         { /* end of list */ }
3590     },
3591 };
3592 
3593 
3594 static int
3595 vnc_display_setup_auth(int *auth,
3596                        int *subauth,
3597                        QCryptoTLSCreds *tlscreds,
3598                        bool password,
3599                        bool sasl,
3600                        bool websocket,
3601                        Error **errp)
3602 {
3603     /*
3604      * We have a choice of 3 authentication options
3605      *
3606      *   1. none
3607      *   2. vnc
3608      *   3. sasl
3609      *
3610      * The channel can be run in 2 modes
3611      *
3612      *   1. clear
3613      *   2. tls
3614      *
3615      * And TLS can use 2 types of credentials
3616      *
3617      *   1. anon
3618      *   2. x509
3619      *
3620      * We thus have 9 possible logical combinations
3621      *
3622      *   1. clear + none
3623      *   2. clear + vnc
3624      *   3. clear + sasl
3625      *   4. tls + anon + none
3626      *   5. tls + anon + vnc
3627      *   6. tls + anon + sasl
3628      *   7. tls + x509 + none
3629      *   8. tls + x509 + vnc
3630      *   9. tls + x509 + sasl
3631      *
3632      * These need to be mapped into the VNC auth schemes
3633      * in an appropriate manner. In regular VNC, all the
3634      * TLS options get mapped into VNC_AUTH_VENCRYPT
3635      * sub-auth types.
3636      *
3637      * In websockets, the https:// protocol already provides
3638      * TLS support, so there is no need to make use of the
3639      * VeNCrypt extension. Furthermore, websockets browser
3640      * clients could not use VeNCrypt even if they wanted to,
3641      * as they cannot control when the TLS handshake takes
3642      * place. Thus there is no option but to rely on https://,
3643      * meaning combinations 4->6 and 7->9 will be mapped to
3644      * VNC auth schemes in the same way as combos 1->3.
3645      *
3646      * Regardless of fact that we have a different mapping to
3647      * VNC auth mechs for plain VNC vs websockets VNC, the end
3648      * result has the same security characteristics.
3649      */
3650     if (websocket || !tlscreds) {
3651         if (password) {
3652             VNC_DEBUG("Initializing VNC server with password auth\n");
3653             *auth = VNC_AUTH_VNC;
3654         } else if (sasl) {
3655             VNC_DEBUG("Initializing VNC server with SASL auth\n");
3656             *auth = VNC_AUTH_SASL;
3657         } else {
3658             VNC_DEBUG("Initializing VNC server with no auth\n");
3659             *auth = VNC_AUTH_NONE;
3660         }
3661         *subauth = VNC_AUTH_INVALID;
3662     } else {
3663         bool is_x509 = object_dynamic_cast(OBJECT(tlscreds),
3664                                            TYPE_QCRYPTO_TLS_CREDS_X509) != NULL;
3665         bool is_anon = object_dynamic_cast(OBJECT(tlscreds),
3666                                            TYPE_QCRYPTO_TLS_CREDS_ANON) != NULL;
3667 
3668         if (!is_x509 && !is_anon) {
3669             error_setg(errp,
3670                        "Unsupported TLS cred type %s",
3671                        object_get_typename(OBJECT(tlscreds)));
3672             return -1;
3673         }
3674         *auth = VNC_AUTH_VENCRYPT;
3675         if (password) {
3676             if (is_x509) {
3677                 VNC_DEBUG("Initializing VNC server with x509 password auth\n");
3678                 *subauth = VNC_AUTH_VENCRYPT_X509VNC;
3679             } else {
3680                 VNC_DEBUG("Initializing VNC server with TLS password auth\n");
3681                 *subauth = VNC_AUTH_VENCRYPT_TLSVNC;
3682             }
3683 
3684         } else if (sasl) {
3685             if (is_x509) {
3686                 VNC_DEBUG("Initializing VNC server with x509 SASL auth\n");
3687                 *subauth = VNC_AUTH_VENCRYPT_X509SASL;
3688             } else {
3689                 VNC_DEBUG("Initializing VNC server with TLS SASL auth\n");
3690                 *subauth = VNC_AUTH_VENCRYPT_TLSSASL;
3691             }
3692         } else {
3693             if (is_x509) {
3694                 VNC_DEBUG("Initializing VNC server with x509 no auth\n");
3695                 *subauth = VNC_AUTH_VENCRYPT_X509NONE;
3696             } else {
3697                 VNC_DEBUG("Initializing VNC server with TLS no auth\n");
3698                 *subauth = VNC_AUTH_VENCRYPT_TLSNONE;
3699             }
3700         }
3701     }
3702     return 0;
3703 }
3704 
3705 
3706 static int vnc_display_get_address(const char *addrstr,
3707                                    bool websocket,
3708                                    bool reverse,
3709                                    int displaynum,
3710                                    int to,
3711                                    bool has_ipv4,
3712                                    bool has_ipv6,
3713                                    bool ipv4,
3714                                    bool ipv6,
3715                                    SocketAddress **retaddr,
3716                                    Error **errp)
3717 {
3718     int ret = -1;
3719     SocketAddress *addr = NULL;
3720 
3721     addr = g_new0(SocketAddress, 1);
3722 
3723     if (strncmp(addrstr, "unix:", 5) == 0) {
3724         addr->type = SOCKET_ADDRESS_TYPE_UNIX;
3725         addr->u.q_unix.path = g_strdup(addrstr + 5);
3726 
3727         if (websocket) {
3728             error_setg(errp, "UNIX sockets not supported with websock");
3729             goto cleanup;
3730         }
3731 
3732         if (to) {
3733             error_setg(errp, "Port range not support with UNIX socket");
3734             goto cleanup;
3735         }
3736         ret = 0;
3737     } else {
3738         const char *port;
3739         size_t hostlen;
3740         unsigned long long baseport = 0;
3741         InetSocketAddress *inet;
3742 
3743         port = strrchr(addrstr, ':');
3744         if (!port) {
3745             if (websocket) {
3746                 hostlen = 0;
3747                 port = addrstr;
3748             } else {
3749                 error_setg(errp, "no vnc port specified");
3750                 goto cleanup;
3751             }
3752         } else {
3753             hostlen = port - addrstr;
3754             port++;
3755             if (*port == '\0') {
3756                 error_setg(errp, "vnc port cannot be empty");
3757                 goto cleanup;
3758             }
3759         }
3760 
3761         addr->type = SOCKET_ADDRESS_TYPE_INET;
3762         inet = &addr->u.inet;
3763         if (addrstr[0] == '[' && addrstr[hostlen - 1] == ']') {
3764             inet->host = g_strndup(addrstr + 1, hostlen - 2);
3765         } else {
3766             inet->host = g_strndup(addrstr, hostlen);
3767         }
3768         /* plain VNC port is just an offset, for websocket
3769          * port is absolute */
3770         if (websocket) {
3771             if (g_str_equal(addrstr, "") ||
3772                 g_str_equal(addrstr, "on")) {
3773                 if (displaynum == -1) {
3774                     error_setg(errp, "explicit websocket port is required");
3775                     goto cleanup;
3776                 }
3777                 inet->port = g_strdup_printf(
3778                     "%d", displaynum + 5700);
3779                 if (to) {
3780                     inet->has_to = true;
3781                     inet->to = to + 5700;
3782                 }
3783             } else {
3784                 inet->port = g_strdup(port);
3785             }
3786         } else {
3787             int offset = reverse ? 0 : 5900;
3788             if (parse_uint_full(port, &baseport, 10) < 0) {
3789                 error_setg(errp, "can't convert to a number: %s", port);
3790                 goto cleanup;
3791             }
3792             if (baseport > 65535 ||
3793                 baseport + offset > 65535) {
3794                 error_setg(errp, "port %s out of range", port);
3795                 goto cleanup;
3796             }
3797             inet->port = g_strdup_printf(
3798                 "%d", (int)baseport + offset);
3799 
3800             if (to) {
3801                 inet->has_to = true;
3802                 inet->to = to + offset;
3803             }
3804         }
3805 
3806         inet->ipv4 = ipv4;
3807         inet->has_ipv4 = has_ipv4;
3808         inet->ipv6 = ipv6;
3809         inet->has_ipv6 = has_ipv6;
3810 
3811         ret = baseport;
3812     }
3813 
3814     *retaddr = addr;
3815 
3816  cleanup:
3817     if (ret < 0) {
3818         qapi_free_SocketAddress(addr);
3819     }
3820     return ret;
3821 }
3822 
3823 static int vnc_display_get_addresses(QemuOpts *opts,
3824                                      bool reverse,
3825                                      SocketAddressList **saddr_list_ret,
3826                                      SocketAddressList **wsaddr_list_ret,
3827                                      Error **errp)
3828 {
3829     SocketAddress *saddr = NULL;
3830     SocketAddress *wsaddr = NULL;
3831     g_autoptr(SocketAddressList) saddr_list = NULL;
3832     SocketAddressList **saddr_tail = &saddr_list;
3833     SocketAddress *single_saddr = NULL;
3834     g_autoptr(SocketAddressList) wsaddr_list = NULL;
3835     SocketAddressList **wsaddr_tail = &wsaddr_list;
3836     QemuOptsIter addriter;
3837     const char *addr;
3838     int to = qemu_opt_get_number(opts, "to", 0);
3839     bool has_ipv4 = qemu_opt_get(opts, "ipv4");
3840     bool has_ipv6 = qemu_opt_get(opts, "ipv6");
3841     bool ipv4 = qemu_opt_get_bool(opts, "ipv4", false);
3842     bool ipv6 = qemu_opt_get_bool(opts, "ipv6", false);
3843     int displaynum = -1;
3844 
3845     addr = qemu_opt_get(opts, "vnc");
3846     if (addr == NULL || g_str_equal(addr, "none")) {
3847         return 0;
3848     }
3849     if (qemu_opt_get(opts, "websocket") &&
3850         !qcrypto_hash_supports(QCRYPTO_HASH_ALG_SHA1)) {
3851         error_setg(errp,
3852                    "SHA1 hash support is required for websockets");
3853         return -1;
3854     }
3855 
3856     qemu_opt_iter_init(&addriter, opts, "vnc");
3857     while ((addr = qemu_opt_iter_next(&addriter)) != NULL) {
3858         int rv;
3859         rv = vnc_display_get_address(addr, false, reverse, 0, to,
3860                                      has_ipv4, has_ipv6,
3861                                      ipv4, ipv6,
3862                                      &saddr, errp);
3863         if (rv < 0) {
3864             return -1;
3865         }
3866         /* Historical compat - first listen address can be used
3867          * to set the default websocket port
3868          */
3869         if (displaynum == -1) {
3870             displaynum = rv;
3871         }
3872         QAPI_LIST_APPEND(saddr_tail, saddr);
3873     }
3874 
3875     if (saddr_list && !saddr_list->next) {
3876         single_saddr = saddr_list->value;
3877     } else {
3878         /*
3879          * If we had multiple primary displays, we don't do defaults
3880          * for websocket, and require explicit config instead.
3881          */
3882         displaynum = -1;
3883     }
3884 
3885     qemu_opt_iter_init(&addriter, opts, "websocket");
3886     while ((addr = qemu_opt_iter_next(&addriter)) != NULL) {
3887         if (vnc_display_get_address(addr, true, reverse, displaynum, to,
3888                                     has_ipv4, has_ipv6,
3889                                     ipv4, ipv6,
3890                                     &wsaddr, errp) < 0) {
3891             return -1;
3892         }
3893 
3894         /* Historical compat - if only a single listen address was
3895          * provided, then this is used to set the default listen
3896          * address for websocket too
3897          */
3898         if (single_saddr &&
3899             single_saddr->type == SOCKET_ADDRESS_TYPE_INET &&
3900             wsaddr->type == SOCKET_ADDRESS_TYPE_INET &&
3901             g_str_equal(wsaddr->u.inet.host, "") &&
3902             !g_str_equal(single_saddr->u.inet.host, "")) {
3903             g_free(wsaddr->u.inet.host);
3904             wsaddr->u.inet.host = g_strdup(single_saddr->u.inet.host);
3905         }
3906 
3907         QAPI_LIST_APPEND(wsaddr_tail, wsaddr);
3908     }
3909 
3910     *saddr_list_ret = g_steal_pointer(&saddr_list);
3911     *wsaddr_list_ret = g_steal_pointer(&wsaddr_list);
3912     return 0;
3913 }
3914 
3915 static int vnc_display_connect(VncDisplay *vd,
3916                                SocketAddressList *saddr_list,
3917                                SocketAddressList *wsaddr_list,
3918                                Error **errp)
3919 {
3920     /* connect to viewer */
3921     QIOChannelSocket *sioc = NULL;
3922     if (wsaddr_list) {
3923         error_setg(errp, "Cannot use websockets in reverse mode");
3924         return -1;
3925     }
3926     if (!saddr_list || saddr_list->next) {
3927         error_setg(errp, "Expected a single address in reverse mode");
3928         return -1;
3929     }
3930     /* TODO SOCKET_ADDRESS_TYPE_FD when fd has AF_UNIX */
3931     vd->is_unix = saddr_list->value->type == SOCKET_ADDRESS_TYPE_UNIX;
3932     sioc = qio_channel_socket_new();
3933     qio_channel_set_name(QIO_CHANNEL(sioc), "vnc-reverse");
3934     if (qio_channel_socket_connect_sync(sioc, saddr_list->value, errp) < 0) {
3935         object_unref(OBJECT(sioc));
3936         return -1;
3937     }
3938     vnc_connect(vd, sioc, false, false);
3939     object_unref(OBJECT(sioc));
3940     return 0;
3941 }
3942 
3943 
3944 static int vnc_display_listen(VncDisplay *vd,
3945                               SocketAddressList *saddr_list,
3946                               SocketAddressList *wsaddr_list,
3947                               Error **errp)
3948 {
3949     SocketAddressList *el;
3950 
3951     if (saddr_list) {
3952         vd->listener = qio_net_listener_new();
3953         qio_net_listener_set_name(vd->listener, "vnc-listen");
3954         for (el = saddr_list; el; el = el->next) {
3955             if (qio_net_listener_open_sync(vd->listener,
3956                                            el->value, 1,
3957                                            errp) < 0)  {
3958                 return -1;
3959             }
3960         }
3961 
3962         qio_net_listener_set_client_func(vd->listener,
3963                                          vnc_listen_io, vd, NULL);
3964     }
3965 
3966     if (wsaddr_list) {
3967         vd->wslistener = qio_net_listener_new();
3968         qio_net_listener_set_name(vd->wslistener, "vnc-ws-listen");
3969         for (el = wsaddr_list; el; el = el->next) {
3970             if (qio_net_listener_open_sync(vd->wslistener,
3971                                            el->value, 1,
3972                                            errp) < 0)  {
3973                 return -1;
3974             }
3975         }
3976 
3977         qio_net_listener_set_client_func(vd->wslistener,
3978                                          vnc_listen_io, vd, NULL);
3979     }
3980 
3981     return 0;
3982 }
3983 
3984 bool vnc_display_update(DisplayUpdateOptionsVNC *arg, Error **errp)
3985 {
3986     VncDisplay *vd = vnc_display_find(NULL);
3987 
3988     if (!vd) {
3989         error_setg(errp, "Can not find vnc display");
3990         return false;
3991     }
3992 
3993     if (arg->has_addresses) {
3994         if (vd->listener) {
3995             qio_net_listener_disconnect(vd->listener);
3996             object_unref(OBJECT(vd->listener));
3997             vd->listener = NULL;
3998         }
3999 
4000         if (vnc_display_listen(vd, arg->addresses, NULL, errp) < 0) {
4001             return false;
4002         }
4003     }
4004 
4005     return true;
4006 }
4007 
4008 void vnc_display_open(const char *id, Error **errp)
4009 {
4010     VncDisplay *vd = vnc_display_find(id);
4011     QemuOpts *opts = qemu_opts_find(&qemu_vnc_opts, id);
4012     g_autoptr(SocketAddressList) saddr_list = NULL;
4013     g_autoptr(SocketAddressList) wsaddr_list = NULL;
4014     const char *share, *device_id;
4015     QemuConsole *con;
4016     bool password = false;
4017     bool reverse = false;
4018     const char *credid;
4019     bool sasl = false;
4020     const char *tlsauthz;
4021     const char *saslauthz;
4022     int lock_key_sync = 1;
4023     int key_delay_ms;
4024     const char *audiodev;
4025     const char *passwordSecret;
4026 
4027     if (!vd) {
4028         error_setg(errp, "VNC display not active");
4029         return;
4030     }
4031     vnc_display_close(vd);
4032 
4033     if (!opts) {
4034         return;
4035     }
4036 
4037     reverse = qemu_opt_get_bool(opts, "reverse", false);
4038     if (vnc_display_get_addresses(opts, reverse, &saddr_list, &wsaddr_list,
4039                                   errp) < 0) {
4040         goto fail;
4041     }
4042 
4043 
4044     passwordSecret = qemu_opt_get(opts, "password-secret");
4045     if (passwordSecret) {
4046         if (qemu_opt_get(opts, "password")) {
4047             error_setg(errp,
4048                        "'password' flag is redundant with 'password-secret'");
4049             goto fail;
4050         }
4051         vd->password = qcrypto_secret_lookup_as_utf8(passwordSecret,
4052                                                      errp);
4053         if (!vd->password) {
4054             goto fail;
4055         }
4056         password = true;
4057     } else {
4058         password = qemu_opt_get_bool(opts, "password", false);
4059     }
4060     if (password) {
4061         if (!qcrypto_cipher_supports(
4062                 QCRYPTO_CIPHER_ALG_DES, QCRYPTO_CIPHER_MODE_ECB)) {
4063             error_setg(errp,
4064                        "Cipher backend does not support DES algorithm");
4065             goto fail;
4066         }
4067     }
4068 
4069     lock_key_sync = qemu_opt_get_bool(opts, "lock-key-sync", true);
4070     key_delay_ms = qemu_opt_get_number(opts, "key-delay-ms", 10);
4071     sasl = qemu_opt_get_bool(opts, "sasl", false);
4072 #ifndef CONFIG_VNC_SASL
4073     if (sasl) {
4074         error_setg(errp, "VNC SASL auth requires cyrus-sasl support");
4075         goto fail;
4076     }
4077 #endif /* CONFIG_VNC_SASL */
4078     credid = qemu_opt_get(opts, "tls-creds");
4079     if (credid) {
4080         Object *creds;
4081         creds = object_resolve_path_component(
4082             object_get_objects_root(), credid);
4083         if (!creds) {
4084             error_setg(errp, "No TLS credentials with id '%s'",
4085                        credid);
4086             goto fail;
4087         }
4088         vd->tlscreds = (QCryptoTLSCreds *)
4089             object_dynamic_cast(creds,
4090                                 TYPE_QCRYPTO_TLS_CREDS);
4091         if (!vd->tlscreds) {
4092             error_setg(errp, "Object with id '%s' is not TLS credentials",
4093                        credid);
4094             goto fail;
4095         }
4096         object_ref(OBJECT(vd->tlscreds));
4097 
4098         if (!qcrypto_tls_creds_check_endpoint(vd->tlscreds,
4099                                               QCRYPTO_TLS_CREDS_ENDPOINT_SERVER,
4100                                               errp)) {
4101             goto fail;
4102         }
4103     }
4104     tlsauthz = qemu_opt_get(opts, "tls-authz");
4105     if (tlsauthz && !vd->tlscreds) {
4106         error_setg(errp, "'tls-authz' provided but TLS is not enabled");
4107         goto fail;
4108     }
4109 
4110     saslauthz = qemu_opt_get(opts, "sasl-authz");
4111     if (saslauthz && !sasl) {
4112         error_setg(errp, "'sasl-authz' provided but SASL auth is not enabled");
4113         goto fail;
4114     }
4115 
4116     share = qemu_opt_get(opts, "share");
4117     if (share) {
4118         if (strcmp(share, "ignore") == 0) {
4119             vd->share_policy = VNC_SHARE_POLICY_IGNORE;
4120         } else if (strcmp(share, "allow-exclusive") == 0) {
4121             vd->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
4122         } else if (strcmp(share, "force-shared") == 0) {
4123             vd->share_policy = VNC_SHARE_POLICY_FORCE_SHARED;
4124         } else {
4125             error_setg(errp, "unknown vnc share= option");
4126             goto fail;
4127         }
4128     } else {
4129         vd->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
4130     }
4131     vd->connections_limit = qemu_opt_get_number(opts, "connections", 32);
4132 
4133 #ifdef CONFIG_VNC_JPEG
4134     vd->lossy = qemu_opt_get_bool(opts, "lossy", false);
4135 #endif
4136     vd->non_adaptive = qemu_opt_get_bool(opts, "non-adaptive", false);
4137     /* adaptive updates are only used with tight encoding and
4138      * if lossy updates are enabled so we can disable all the
4139      * calculations otherwise */
4140     if (!vd->lossy) {
4141         vd->non_adaptive = true;
4142     }
4143 
4144     vd->power_control = qemu_opt_get_bool(opts, "power-control", false);
4145 
4146     if (tlsauthz) {
4147         vd->tlsauthzid = g_strdup(tlsauthz);
4148     }
4149 #ifdef CONFIG_VNC_SASL
4150     if (sasl) {
4151         if (saslauthz) {
4152             vd->sasl.authzid = g_strdup(saslauthz);
4153         }
4154     }
4155 #endif
4156 
4157     if (vnc_display_setup_auth(&vd->auth, &vd->subauth,
4158                                vd->tlscreds, password,
4159                                sasl, false, errp) < 0) {
4160         goto fail;
4161     }
4162     trace_vnc_auth_init(vd, 0, vd->auth, vd->subauth);
4163 
4164     if (vnc_display_setup_auth(&vd->ws_auth, &vd->ws_subauth,
4165                                vd->tlscreds, password,
4166                                sasl, true, errp) < 0) {
4167         goto fail;
4168     }
4169     trace_vnc_auth_init(vd, 1, vd->ws_auth, vd->ws_subauth);
4170 
4171 #ifdef CONFIG_VNC_SASL
4172     if (sasl && !vnc_sasl_server_init(errp)) {
4173         goto fail;
4174     }
4175 #endif
4176     vd->lock_key_sync = lock_key_sync;
4177     if (lock_key_sync) {
4178         vd->led = qemu_add_led_event_handler(kbd_leds, vd);
4179     }
4180     vd->ledstate = 0;
4181 
4182     audiodev = qemu_opt_get(opts, "audiodev");
4183     if (audiodev) {
4184         vd->audio_state = audio_state_by_name(audiodev);
4185         if (!vd->audio_state) {
4186             error_setg(errp, "Audiodev '%s' not found", audiodev);
4187             goto fail;
4188         }
4189     }
4190 
4191     device_id = qemu_opt_get(opts, "display");
4192     if (device_id) {
4193         int head = qemu_opt_get_number(opts, "head", 0);
4194         Error *err = NULL;
4195 
4196         con = qemu_console_lookup_by_device_name(device_id, head, &err);
4197         if (err) {
4198             error_propagate(errp, err);
4199             goto fail;
4200         }
4201     } else {
4202         con = NULL;
4203     }
4204 
4205     if (con != vd->dcl.con) {
4206         qkbd_state_free(vd->kbd);
4207         unregister_displaychangelistener(&vd->dcl);
4208         vd->dcl.con = con;
4209         register_displaychangelistener(&vd->dcl);
4210         vd->kbd = qkbd_state_init(vd->dcl.con);
4211     }
4212     qkbd_state_set_delay(vd->kbd, key_delay_ms);
4213 
4214     if (saddr_list == NULL) {
4215         return;
4216     }
4217 
4218     if (reverse) {
4219         if (vnc_display_connect(vd, saddr_list, wsaddr_list, errp) < 0) {
4220             goto fail;
4221         }
4222     } else {
4223         if (vnc_display_listen(vd, saddr_list, wsaddr_list, errp) < 0) {
4224             goto fail;
4225         }
4226     }
4227 
4228     if (qemu_opt_get(opts, "to")) {
4229         vnc_display_print_local_addr(vd);
4230     }
4231 
4232     /* Success */
4233     return;
4234 
4235 fail:
4236     vnc_display_close(vd);
4237 }
4238 
4239 void vnc_display_add_client(const char *id, int csock, bool skipauth)
4240 {
4241     VncDisplay *vd = vnc_display_find(id);
4242     QIOChannelSocket *sioc;
4243 
4244     if (!vd) {
4245         return;
4246     }
4247 
4248     sioc = qio_channel_socket_new_fd(csock, NULL);
4249     if (sioc) {
4250         qio_channel_set_name(QIO_CHANNEL(sioc), "vnc-server");
4251         vnc_connect(vd, sioc, skipauth, false);
4252         object_unref(OBJECT(sioc));
4253     }
4254 }
4255 
4256 static void vnc_auto_assign_id(QemuOptsList *olist, QemuOpts *opts)
4257 {
4258     int i = 2;
4259     char *id;
4260 
4261     id = g_strdup("default");
4262     while (qemu_opts_find(olist, id)) {
4263         g_free(id);
4264         id = g_strdup_printf("vnc%d", i++);
4265     }
4266     qemu_opts_set_id(opts, id);
4267 }
4268 
4269 void vnc_parse(const char *str)
4270 {
4271     QemuOptsList *olist = qemu_find_opts("vnc");
4272     QemuOpts *opts = qemu_opts_parse_noisily(olist, str, !is_help_option(str));
4273     const char *id;
4274 
4275     if (!opts) {
4276         exit(1);
4277     }
4278 
4279     id = qemu_opts_id(opts);
4280     if (!id) {
4281         /* auto-assign id if not present */
4282         vnc_auto_assign_id(olist, opts);
4283     }
4284 }
4285 
4286 int vnc_init_func(void *opaque, QemuOpts *opts, Error **errp)
4287 {
4288     Error *local_err = NULL;
4289     char *id = (char *)qemu_opts_id(opts);
4290 
4291     assert(id);
4292     vnc_display_init(id, &local_err);
4293     if (local_err) {
4294         error_propagate(errp, local_err);
4295         return -1;
4296     }
4297     vnc_display_open(id, &local_err);
4298     if (local_err != NULL) {
4299         error_propagate(errp, local_err);
4300         return -1;
4301     }
4302     return 0;
4303 }
4304 
4305 static void vnc_register_config(void)
4306 {
4307     qemu_add_opts(&qemu_vnc_opts);
4308 }
4309 opts_init(vnc_register_config);
4310