xref: /openbmc/qemu/ui/vnc.c (revision acb0ef58)
1 /*
2  * QEMU VNC display driver
3  *
4  * Copyright (C) 2006 Anthony Liguori <anthony@codemonkey.ws>
5  * Copyright (C) 2006 Fabrice Bellard
6  * Copyright (C) 2009 Red Hat, Inc
7  *
8  * Permission is hereby granted, free of charge, to any person obtaining a copy
9  * of this software and associated documentation files (the "Software"), to deal
10  * in the Software without restriction, including without limitation the rights
11  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
12  * copies of the Software, and to permit persons to whom the Software is
13  * furnished to do so, subject to the following conditions:
14  *
15  * The above copyright notice and this permission notice shall be included in
16  * all copies or substantial portions of the Software.
17  *
18  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
19  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
20  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
21  * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
22  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
23  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
24  * THE SOFTWARE.
25  */
26 
27 #include "vnc.h"
28 #include "vnc-jobs.h"
29 #include "trace.h"
30 #include "sysemu/sysemu.h"
31 #include "qemu/sockets.h"
32 #include "qemu/timer.h"
33 #include "qemu/acl.h"
34 #include "qapi/qmp/types.h"
35 #include "qmp-commands.h"
36 #include "qemu/osdep.h"
37 #include "ui/input.h"
38 
39 #define VNC_REFRESH_INTERVAL_BASE GUI_REFRESH_INTERVAL_DEFAULT
40 #define VNC_REFRESH_INTERVAL_INC  50
41 #define VNC_REFRESH_INTERVAL_MAX  GUI_REFRESH_INTERVAL_IDLE
42 static const struct timeval VNC_REFRESH_STATS = { 0, 500000 };
43 static const struct timeval VNC_REFRESH_LOSSY = { 2, 0 };
44 
45 #include "vnc_keysym.h"
46 #include "d3des.h"
47 
48 static VncDisplay *vnc_display; /* needed for info vnc */
49 
50 static int vnc_cursor_define(VncState *vs);
51 static void vnc_release_modifiers(VncState *vs);
52 
53 static void vnc_set_share_mode(VncState *vs, VncShareMode mode)
54 {
55 #ifdef _VNC_DEBUG
56     static const char *mn[] = {
57         [0]                           = "undefined",
58         [VNC_SHARE_MODE_CONNECTING]   = "connecting",
59         [VNC_SHARE_MODE_SHARED]       = "shared",
60         [VNC_SHARE_MODE_EXCLUSIVE]    = "exclusive",
61         [VNC_SHARE_MODE_DISCONNECTED] = "disconnected",
62     };
63     fprintf(stderr, "%s/%d: %s -> %s\n", __func__,
64             vs->csock, mn[vs->share_mode], mn[mode]);
65 #endif
66 
67     if (vs->share_mode == VNC_SHARE_MODE_EXCLUSIVE) {
68         vs->vd->num_exclusive--;
69     }
70     vs->share_mode = mode;
71     if (vs->share_mode == VNC_SHARE_MODE_EXCLUSIVE) {
72         vs->vd->num_exclusive++;
73     }
74 }
75 
76 static char *addr_to_string(const char *format,
77                             struct sockaddr_storage *sa,
78                             socklen_t salen) {
79     char *addr;
80     char host[NI_MAXHOST];
81     char serv[NI_MAXSERV];
82     int err;
83     size_t addrlen;
84 
85     if ((err = getnameinfo((struct sockaddr *)sa, salen,
86                            host, sizeof(host),
87                            serv, sizeof(serv),
88                            NI_NUMERICHOST | NI_NUMERICSERV)) != 0) {
89         VNC_DEBUG("Cannot resolve address %d: %s\n",
90                   err, gai_strerror(err));
91         return NULL;
92     }
93 
94     /* Enough for the existing format + the 2 vars we're
95      * substituting in. */
96     addrlen = strlen(format) + strlen(host) + strlen(serv);
97     addr = g_malloc(addrlen + 1);
98     snprintf(addr, addrlen, format, host, serv);
99     addr[addrlen] = '\0';
100 
101     return addr;
102 }
103 
104 
105 char *vnc_socket_local_addr(const char *format, int fd) {
106     struct sockaddr_storage sa;
107     socklen_t salen;
108 
109     salen = sizeof(sa);
110     if (getsockname(fd, (struct sockaddr*)&sa, &salen) < 0)
111         return NULL;
112 
113     return addr_to_string(format, &sa, salen);
114 }
115 
116 char *vnc_socket_remote_addr(const char *format, int fd) {
117     struct sockaddr_storage sa;
118     socklen_t salen;
119 
120     salen = sizeof(sa);
121     if (getpeername(fd, (struct sockaddr*)&sa, &salen) < 0)
122         return NULL;
123 
124     return addr_to_string(format, &sa, salen);
125 }
126 
127 static int put_addr_qdict(QDict *qdict, struct sockaddr_storage *sa,
128                           socklen_t salen)
129 {
130     char host[NI_MAXHOST];
131     char serv[NI_MAXSERV];
132     int err;
133 
134     if ((err = getnameinfo((struct sockaddr *)sa, salen,
135                            host, sizeof(host),
136                            serv, sizeof(serv),
137                            NI_NUMERICHOST | NI_NUMERICSERV)) != 0) {
138         VNC_DEBUG("Cannot resolve address %d: %s\n",
139                   err, gai_strerror(err));
140         return -1;
141     }
142 
143     qdict_put(qdict, "host", qstring_from_str(host));
144     qdict_put(qdict, "service", qstring_from_str(serv));
145     qdict_put(qdict, "family",qstring_from_str(inet_strfamily(sa->ss_family)));
146 
147     return 0;
148 }
149 
150 static int vnc_server_addr_put(QDict *qdict, int fd)
151 {
152     struct sockaddr_storage sa;
153     socklen_t salen;
154 
155     salen = sizeof(sa);
156     if (getsockname(fd, (struct sockaddr*)&sa, &salen) < 0) {
157         return -1;
158     }
159 
160     return put_addr_qdict(qdict, &sa, salen);
161 }
162 
163 static int vnc_qdict_remote_addr(QDict *qdict, int fd)
164 {
165     struct sockaddr_storage sa;
166     socklen_t salen;
167 
168     salen = sizeof(sa);
169     if (getpeername(fd, (struct sockaddr*)&sa, &salen) < 0) {
170         return -1;
171     }
172 
173     return put_addr_qdict(qdict, &sa, salen);
174 }
175 
176 static const char *vnc_auth_name(VncDisplay *vd) {
177     switch (vd->auth) {
178     case VNC_AUTH_INVALID:
179         return "invalid";
180     case VNC_AUTH_NONE:
181         return "none";
182     case VNC_AUTH_VNC:
183         return "vnc";
184     case VNC_AUTH_RA2:
185         return "ra2";
186     case VNC_AUTH_RA2NE:
187         return "ra2ne";
188     case VNC_AUTH_TIGHT:
189         return "tight";
190     case VNC_AUTH_ULTRA:
191         return "ultra";
192     case VNC_AUTH_TLS:
193         return "tls";
194     case VNC_AUTH_VENCRYPT:
195 #ifdef CONFIG_VNC_TLS
196         switch (vd->subauth) {
197         case VNC_AUTH_VENCRYPT_PLAIN:
198             return "vencrypt+plain";
199         case VNC_AUTH_VENCRYPT_TLSNONE:
200             return "vencrypt+tls+none";
201         case VNC_AUTH_VENCRYPT_TLSVNC:
202             return "vencrypt+tls+vnc";
203         case VNC_AUTH_VENCRYPT_TLSPLAIN:
204             return "vencrypt+tls+plain";
205         case VNC_AUTH_VENCRYPT_X509NONE:
206             return "vencrypt+x509+none";
207         case VNC_AUTH_VENCRYPT_X509VNC:
208             return "vencrypt+x509+vnc";
209         case VNC_AUTH_VENCRYPT_X509PLAIN:
210             return "vencrypt+x509+plain";
211         case VNC_AUTH_VENCRYPT_TLSSASL:
212             return "vencrypt+tls+sasl";
213         case VNC_AUTH_VENCRYPT_X509SASL:
214             return "vencrypt+x509+sasl";
215         default:
216             return "vencrypt";
217         }
218 #else
219         return "vencrypt";
220 #endif
221     case VNC_AUTH_SASL:
222         return "sasl";
223     }
224     return "unknown";
225 }
226 
227 static int vnc_server_info_put(QDict *qdict)
228 {
229     if (vnc_server_addr_put(qdict, vnc_display->lsock) < 0) {
230         return -1;
231     }
232 
233     qdict_put(qdict, "auth", qstring_from_str(vnc_auth_name(vnc_display)));
234     return 0;
235 }
236 
237 static void vnc_client_cache_auth(VncState *client)
238 {
239 #if defined(CONFIG_VNC_TLS) || defined(CONFIG_VNC_SASL)
240     QDict *qdict;
241 #endif
242 
243     if (!client->info) {
244         return;
245     }
246 
247 #if defined(CONFIG_VNC_TLS) || defined(CONFIG_VNC_SASL)
248     qdict = qobject_to_qdict(client->info);
249 #endif
250 
251 #ifdef CONFIG_VNC_TLS
252     if (client->tls.session &&
253         client->tls.dname) {
254         qdict_put(qdict, "x509_dname", qstring_from_str(client->tls.dname));
255     }
256 #endif
257 #ifdef CONFIG_VNC_SASL
258     if (client->sasl.conn &&
259         client->sasl.username) {
260         qdict_put(qdict, "sasl_username",
261                   qstring_from_str(client->sasl.username));
262     }
263 #endif
264 }
265 
266 static void vnc_client_cache_addr(VncState *client)
267 {
268     QDict *qdict;
269 
270     qdict = qdict_new();
271     if (vnc_qdict_remote_addr(qdict, client->csock) < 0) {
272         QDECREF(qdict);
273         /* XXX: how to report the error? */
274         return;
275     }
276 
277     client->info = QOBJECT(qdict);
278 }
279 
280 static void vnc_qmp_event(VncState *vs, MonitorEvent event)
281 {
282     QDict *server;
283     QObject *data;
284 
285     if (!vs->info) {
286         return;
287     }
288 
289     server = qdict_new();
290     if (vnc_server_info_put(server) < 0) {
291         QDECREF(server);
292         return;
293     }
294 
295     data = qobject_from_jsonf("{ 'client': %p, 'server': %p }",
296                               vs->info, QOBJECT(server));
297 
298     monitor_protocol_event(event, data);
299 
300     qobject_incref(vs->info);
301     qobject_decref(data);
302 }
303 
304 static VncClientInfo *qmp_query_vnc_client(const VncState *client)
305 {
306     struct sockaddr_storage sa;
307     socklen_t salen = sizeof(sa);
308     char host[NI_MAXHOST];
309     char serv[NI_MAXSERV];
310     VncClientInfo *info;
311 
312     if (getpeername(client->csock, (struct sockaddr *)&sa, &salen) < 0) {
313         return NULL;
314     }
315 
316     if (getnameinfo((struct sockaddr *)&sa, salen,
317                     host, sizeof(host),
318                     serv, sizeof(serv),
319                     NI_NUMERICHOST | NI_NUMERICSERV) < 0) {
320         return NULL;
321     }
322 
323     info = g_malloc0(sizeof(*info));
324     info->host = g_strdup(host);
325     info->service = g_strdup(serv);
326     info->family = g_strdup(inet_strfamily(sa.ss_family));
327 
328 #ifdef CONFIG_VNC_TLS
329     if (client->tls.session && client->tls.dname) {
330         info->has_x509_dname = true;
331         info->x509_dname = g_strdup(client->tls.dname);
332     }
333 #endif
334 #ifdef CONFIG_VNC_SASL
335     if (client->sasl.conn && client->sasl.username) {
336         info->has_sasl_username = true;
337         info->sasl_username = g_strdup(client->sasl.username);
338     }
339 #endif
340 
341     return info;
342 }
343 
344 VncInfo *qmp_query_vnc(Error **errp)
345 {
346     VncInfo *info = g_malloc0(sizeof(*info));
347 
348     if (vnc_display == NULL || vnc_display->display == NULL) {
349         info->enabled = false;
350     } else {
351         VncClientInfoList *cur_item = NULL;
352         struct sockaddr_storage sa;
353         socklen_t salen = sizeof(sa);
354         char host[NI_MAXHOST];
355         char serv[NI_MAXSERV];
356         VncState *client;
357 
358         info->enabled = true;
359 
360         /* for compatibility with the original command */
361         info->has_clients = true;
362 
363         QTAILQ_FOREACH(client, &vnc_display->clients, next) {
364             VncClientInfoList *cinfo = g_malloc0(sizeof(*info));
365             cinfo->value = qmp_query_vnc_client(client);
366 
367             /* XXX: waiting for the qapi to support GSList */
368             if (!cur_item) {
369                 info->clients = cur_item = cinfo;
370             } else {
371                 cur_item->next = cinfo;
372                 cur_item = cinfo;
373             }
374         }
375 
376         if (vnc_display->lsock == -1) {
377             return info;
378         }
379 
380         if (getsockname(vnc_display->lsock, (struct sockaddr *)&sa,
381                         &salen) == -1) {
382             error_set(errp, QERR_UNDEFINED_ERROR);
383             goto out_error;
384         }
385 
386         if (getnameinfo((struct sockaddr *)&sa, salen,
387                         host, sizeof(host),
388                         serv, sizeof(serv),
389                         NI_NUMERICHOST | NI_NUMERICSERV) < 0) {
390             error_set(errp, QERR_UNDEFINED_ERROR);
391             goto out_error;
392         }
393 
394         info->has_host = true;
395         info->host = g_strdup(host);
396 
397         info->has_service = true;
398         info->service = g_strdup(serv);
399 
400         info->has_family = true;
401         info->family = g_strdup(inet_strfamily(sa.ss_family));
402 
403         info->has_auth = true;
404         info->auth = g_strdup(vnc_auth_name(vnc_display));
405     }
406 
407     return info;
408 
409 out_error:
410     qapi_free_VncInfo(info);
411     return NULL;
412 }
413 
414 /* TODO
415    1) Get the queue working for IO.
416    2) there is some weirdness when using the -S option (the screen is grey
417       and not totally invalidated
418    3) resolutions > 1024
419 */
420 
421 static int vnc_update_client(VncState *vs, int has_dirty, bool sync);
422 static void vnc_disconnect_start(VncState *vs);
423 
424 static void vnc_colordepth(VncState *vs);
425 static void framebuffer_update_request(VncState *vs, int incremental,
426                                        int x_position, int y_position,
427                                        int w, int h);
428 static void vnc_refresh(DisplayChangeListener *dcl);
429 static int vnc_refresh_server_surface(VncDisplay *vd);
430 
431 static void vnc_dpy_update(DisplayChangeListener *dcl,
432                            int x, int y, int w, int h)
433 {
434     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
435     struct VncSurface *s = &vd->guest;
436     int width = surface_width(vd->ds);
437     int height = surface_height(vd->ds);
438 
439     /* this is needed this to ensure we updated all affected
440      * blocks if x % VNC_DIRTY_PIXELS_PER_BIT != 0 */
441     w += (x % VNC_DIRTY_PIXELS_PER_BIT);
442     x -= (x % VNC_DIRTY_PIXELS_PER_BIT);
443 
444     x = MIN(x, width);
445     y = MIN(y, height);
446     w = MIN(x + w, width) - x;
447     h = MIN(y + h, height);
448 
449     for (; y < h; y++) {
450         bitmap_set(s->dirty[y], x / VNC_DIRTY_PIXELS_PER_BIT,
451                    DIV_ROUND_UP(w, VNC_DIRTY_PIXELS_PER_BIT));
452     }
453 }
454 
455 void vnc_framebuffer_update(VncState *vs, int x, int y, int w, int h,
456                             int32_t encoding)
457 {
458     vnc_write_u16(vs, x);
459     vnc_write_u16(vs, y);
460     vnc_write_u16(vs, w);
461     vnc_write_u16(vs, h);
462 
463     vnc_write_s32(vs, encoding);
464 }
465 
466 void buffer_reserve(Buffer *buffer, size_t len)
467 {
468     if ((buffer->capacity - buffer->offset) < len) {
469         buffer->capacity += (len + 1024);
470         buffer->buffer = g_realloc(buffer->buffer, buffer->capacity);
471         if (buffer->buffer == NULL) {
472             fprintf(stderr, "vnc: out of memory\n");
473             exit(1);
474         }
475     }
476 }
477 
478 static int buffer_empty(Buffer *buffer)
479 {
480     return buffer->offset == 0;
481 }
482 
483 uint8_t *buffer_end(Buffer *buffer)
484 {
485     return buffer->buffer + buffer->offset;
486 }
487 
488 void buffer_reset(Buffer *buffer)
489 {
490         buffer->offset = 0;
491 }
492 
493 void buffer_free(Buffer *buffer)
494 {
495     g_free(buffer->buffer);
496     buffer->offset = 0;
497     buffer->capacity = 0;
498     buffer->buffer = NULL;
499 }
500 
501 void buffer_append(Buffer *buffer, const void *data, size_t len)
502 {
503     memcpy(buffer->buffer + buffer->offset, data, len);
504     buffer->offset += len;
505 }
506 
507 void buffer_advance(Buffer *buf, size_t len)
508 {
509     memmove(buf->buffer, buf->buffer + len,
510             (buf->offset - len));
511     buf->offset -= len;
512 }
513 
514 static void vnc_desktop_resize(VncState *vs)
515 {
516     DisplaySurface *ds = vs->vd->ds;
517 
518     if (vs->csock == -1 || !vnc_has_feature(vs, VNC_FEATURE_RESIZE)) {
519         return;
520     }
521     if (vs->client_width == surface_width(ds) &&
522         vs->client_height == surface_height(ds)) {
523         return;
524     }
525     vs->client_width = surface_width(ds);
526     vs->client_height = surface_height(ds);
527     vnc_lock_output(vs);
528     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
529     vnc_write_u8(vs, 0);
530     vnc_write_u16(vs, 1); /* number of rects */
531     vnc_framebuffer_update(vs, 0, 0, vs->client_width, vs->client_height,
532                            VNC_ENCODING_DESKTOPRESIZE);
533     vnc_unlock_output(vs);
534     vnc_flush(vs);
535 }
536 
537 static void vnc_abort_display_jobs(VncDisplay *vd)
538 {
539     VncState *vs;
540 
541     QTAILQ_FOREACH(vs, &vd->clients, next) {
542         vnc_lock_output(vs);
543         vs->abort = true;
544         vnc_unlock_output(vs);
545     }
546     QTAILQ_FOREACH(vs, &vd->clients, next) {
547         vnc_jobs_join(vs);
548     }
549     QTAILQ_FOREACH(vs, &vd->clients, next) {
550         vnc_lock_output(vs);
551         vs->abort = false;
552         vnc_unlock_output(vs);
553     }
554 }
555 
556 int vnc_server_fb_stride(VncDisplay *vd)
557 {
558     return pixman_image_get_stride(vd->server);
559 }
560 
561 void *vnc_server_fb_ptr(VncDisplay *vd, int x, int y)
562 {
563     uint8_t *ptr;
564 
565     ptr  = (uint8_t *)pixman_image_get_data(vd->server);
566     ptr += y * vnc_server_fb_stride(vd);
567     ptr += x * VNC_SERVER_FB_BYTES;
568     return ptr;
569 }
570 /* this sets only the visible pixels of a dirty bitmap */
571 #define VNC_SET_VISIBLE_PIXELS_DIRTY(bitmap, w, h) {\
572         int y;\
573         memset(bitmap, 0x00, sizeof(bitmap));\
574         for (y = 0; y < h; y++) {\
575             bitmap_set(bitmap[y], 0,\
576                        DIV_ROUND_UP(w, VNC_DIRTY_PIXELS_PER_BIT));\
577         } \
578     }
579 
580 static void vnc_dpy_switch(DisplayChangeListener *dcl,
581                            DisplaySurface *surface)
582 {
583     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
584     VncState *vs;
585 
586     vnc_abort_display_jobs(vd);
587 
588     /* server surface */
589     qemu_pixman_image_unref(vd->server);
590     vd->ds = surface;
591     vd->server = pixman_image_create_bits(VNC_SERVER_FB_FORMAT,
592                                           surface_width(vd->ds),
593                                           surface_height(vd->ds),
594                                           NULL, 0);
595 
596     /* guest surface */
597 #if 0 /* FIXME */
598     if (ds_get_bytes_per_pixel(ds) != vd->guest.ds->pf.bytes_per_pixel)
599         console_color_init(ds);
600 #endif
601     qemu_pixman_image_unref(vd->guest.fb);
602     vd->guest.fb = pixman_image_ref(surface->image);
603     vd->guest.format = surface->format;
604     VNC_SET_VISIBLE_PIXELS_DIRTY(vd->guest.dirty,
605                                  surface_width(vd->ds),
606                                  surface_height(vd->ds));
607 
608     QTAILQ_FOREACH(vs, &vd->clients, next) {
609         vnc_colordepth(vs);
610         vnc_desktop_resize(vs);
611         if (vs->vd->cursor) {
612             vnc_cursor_define(vs);
613         }
614         VNC_SET_VISIBLE_PIXELS_DIRTY(vs->dirty,
615                                      surface_width(vd->ds),
616                                      surface_height(vd->ds));
617     }
618 }
619 
620 /* fastest code */
621 static void vnc_write_pixels_copy(VncState *vs,
622                                   void *pixels, int size)
623 {
624     vnc_write(vs, pixels, size);
625 }
626 
627 /* slowest but generic code. */
628 void vnc_convert_pixel(VncState *vs, uint8_t *buf, uint32_t v)
629 {
630     uint8_t r, g, b;
631 
632 #if VNC_SERVER_FB_FORMAT == PIXMAN_FORMAT(32, PIXMAN_TYPE_ARGB, 0, 8, 8, 8)
633     r = (((v & 0x00ff0000) >> 16) << vs->client_pf.rbits) >> 8;
634     g = (((v & 0x0000ff00) >>  8) << vs->client_pf.gbits) >> 8;
635     b = (((v & 0x000000ff) >>  0) << vs->client_pf.bbits) >> 8;
636 #else
637 # error need some bits here if you change VNC_SERVER_FB_FORMAT
638 #endif
639     v = (r << vs->client_pf.rshift) |
640         (g << vs->client_pf.gshift) |
641         (b << vs->client_pf.bshift);
642     switch (vs->client_pf.bytes_per_pixel) {
643     case 1:
644         buf[0] = v;
645         break;
646     case 2:
647         if (vs->client_be) {
648             buf[0] = v >> 8;
649             buf[1] = v;
650         } else {
651             buf[1] = v >> 8;
652             buf[0] = v;
653         }
654         break;
655     default:
656     case 4:
657         if (vs->client_be) {
658             buf[0] = v >> 24;
659             buf[1] = v >> 16;
660             buf[2] = v >> 8;
661             buf[3] = v;
662         } else {
663             buf[3] = v >> 24;
664             buf[2] = v >> 16;
665             buf[1] = v >> 8;
666             buf[0] = v;
667         }
668         break;
669     }
670 }
671 
672 static void vnc_write_pixels_generic(VncState *vs,
673                                      void *pixels1, int size)
674 {
675     uint8_t buf[4];
676 
677     if (VNC_SERVER_FB_BYTES == 4) {
678         uint32_t *pixels = pixels1;
679         int n, i;
680         n = size >> 2;
681         for (i = 0; i < n; i++) {
682             vnc_convert_pixel(vs, buf, pixels[i]);
683             vnc_write(vs, buf, vs->client_pf.bytes_per_pixel);
684         }
685     }
686 }
687 
688 int vnc_raw_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
689 {
690     int i;
691     uint8_t *row;
692     VncDisplay *vd = vs->vd;
693 
694     row = vnc_server_fb_ptr(vd, x, y);
695     for (i = 0; i < h; i++) {
696         vs->write_pixels(vs, row, w * VNC_SERVER_FB_BYTES);
697         row += vnc_server_fb_stride(vd);
698     }
699     return 1;
700 }
701 
702 int vnc_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
703 {
704     int n = 0;
705 
706     switch(vs->vnc_encoding) {
707         case VNC_ENCODING_ZLIB:
708             n = vnc_zlib_send_framebuffer_update(vs, x, y, w, h);
709             break;
710         case VNC_ENCODING_HEXTILE:
711             vnc_framebuffer_update(vs, x, y, w, h, VNC_ENCODING_HEXTILE);
712             n = vnc_hextile_send_framebuffer_update(vs, x, y, w, h);
713             break;
714         case VNC_ENCODING_TIGHT:
715             n = vnc_tight_send_framebuffer_update(vs, x, y, w, h);
716             break;
717         case VNC_ENCODING_TIGHT_PNG:
718             n = vnc_tight_png_send_framebuffer_update(vs, x, y, w, h);
719             break;
720         case VNC_ENCODING_ZRLE:
721             n = vnc_zrle_send_framebuffer_update(vs, x, y, w, h);
722             break;
723         case VNC_ENCODING_ZYWRLE:
724             n = vnc_zywrle_send_framebuffer_update(vs, x, y, w, h);
725             break;
726         default:
727             vnc_framebuffer_update(vs, x, y, w, h, VNC_ENCODING_RAW);
728             n = vnc_raw_send_framebuffer_update(vs, x, y, w, h);
729             break;
730     }
731     return n;
732 }
733 
734 static void vnc_copy(VncState *vs, int src_x, int src_y, int dst_x, int dst_y, int w, int h)
735 {
736     /* send bitblit op to the vnc client */
737     vnc_lock_output(vs);
738     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
739     vnc_write_u8(vs, 0);
740     vnc_write_u16(vs, 1); /* number of rects */
741     vnc_framebuffer_update(vs, dst_x, dst_y, w, h, VNC_ENCODING_COPYRECT);
742     vnc_write_u16(vs, src_x);
743     vnc_write_u16(vs, src_y);
744     vnc_unlock_output(vs);
745     vnc_flush(vs);
746 }
747 
748 static void vnc_dpy_copy(DisplayChangeListener *dcl,
749                          int src_x, int src_y,
750                          int dst_x, int dst_y, int w, int h)
751 {
752     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
753     VncState *vs, *vn;
754     uint8_t *src_row;
755     uint8_t *dst_row;
756     int i, x, y, pitch, inc, w_lim, s;
757     int cmp_bytes;
758 
759     vnc_refresh_server_surface(vd);
760     QTAILQ_FOREACH_SAFE(vs, &vd->clients, next, vn) {
761         if (vnc_has_feature(vs, VNC_FEATURE_COPYRECT)) {
762             vs->force_update = 1;
763             vnc_update_client(vs, 1, true);
764             /* vs might be free()ed here */
765         }
766     }
767 
768     /* do bitblit op on the local surface too */
769     pitch = vnc_server_fb_stride(vd);
770     src_row = vnc_server_fb_ptr(vd, src_x, src_y);
771     dst_row = vnc_server_fb_ptr(vd, dst_x, dst_y);
772     y = dst_y;
773     inc = 1;
774     if (dst_y > src_y) {
775         /* copy backwards */
776         src_row += pitch * (h-1);
777         dst_row += pitch * (h-1);
778         pitch = -pitch;
779         y = dst_y + h - 1;
780         inc = -1;
781     }
782     w_lim = w - (VNC_DIRTY_PIXELS_PER_BIT - (dst_x % VNC_DIRTY_PIXELS_PER_BIT));
783     if (w_lim < 0) {
784         w_lim = w;
785     } else {
786         w_lim = w - (w_lim % VNC_DIRTY_PIXELS_PER_BIT);
787     }
788     for (i = 0; i < h; i++) {
789         for (x = 0; x <= w_lim;
790                 x += s, src_row += cmp_bytes, dst_row += cmp_bytes) {
791             if (x == w_lim) {
792                 if ((s = w - w_lim) == 0)
793                     break;
794             } else if (!x) {
795                 s = (VNC_DIRTY_PIXELS_PER_BIT -
796                     (dst_x % VNC_DIRTY_PIXELS_PER_BIT));
797                 s = MIN(s, w_lim);
798             } else {
799                 s = VNC_DIRTY_PIXELS_PER_BIT;
800             }
801             cmp_bytes = s * VNC_SERVER_FB_BYTES;
802             if (memcmp(src_row, dst_row, cmp_bytes) == 0)
803                 continue;
804             memmove(dst_row, src_row, cmp_bytes);
805             QTAILQ_FOREACH(vs, &vd->clients, next) {
806                 if (!vnc_has_feature(vs, VNC_FEATURE_COPYRECT)) {
807                     set_bit(((x + dst_x) / VNC_DIRTY_PIXELS_PER_BIT),
808                             vs->dirty[y]);
809                 }
810             }
811         }
812         src_row += pitch - w * VNC_SERVER_FB_BYTES;
813         dst_row += pitch - w * VNC_SERVER_FB_BYTES;
814         y += inc;
815     }
816 
817     QTAILQ_FOREACH(vs, &vd->clients, next) {
818         if (vnc_has_feature(vs, VNC_FEATURE_COPYRECT)) {
819             vnc_copy(vs, src_x, src_y, dst_x, dst_y, w, h);
820         }
821     }
822 }
823 
824 static void vnc_mouse_set(DisplayChangeListener *dcl,
825                           int x, int y, int visible)
826 {
827     /* can we ask the client(s) to move the pointer ??? */
828 }
829 
830 static int vnc_cursor_define(VncState *vs)
831 {
832     QEMUCursor *c = vs->vd->cursor;
833     int isize;
834 
835     if (vnc_has_feature(vs, VNC_FEATURE_RICH_CURSOR)) {
836         vnc_lock_output(vs);
837         vnc_write_u8(vs,  VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
838         vnc_write_u8(vs,  0);  /*  padding     */
839         vnc_write_u16(vs, 1);  /*  # of rects  */
840         vnc_framebuffer_update(vs, c->hot_x, c->hot_y, c->width, c->height,
841                                VNC_ENCODING_RICH_CURSOR);
842         isize = c->width * c->height * vs->client_pf.bytes_per_pixel;
843         vnc_write_pixels_generic(vs, c->data, isize);
844         vnc_write(vs, vs->vd->cursor_mask, vs->vd->cursor_msize);
845         vnc_unlock_output(vs);
846         return 0;
847     }
848     return -1;
849 }
850 
851 static void vnc_dpy_cursor_define(DisplayChangeListener *dcl,
852                                   QEMUCursor *c)
853 {
854     VncDisplay *vd = vnc_display;
855     VncState *vs;
856 
857     cursor_put(vd->cursor);
858     g_free(vd->cursor_mask);
859 
860     vd->cursor = c;
861     cursor_get(vd->cursor);
862     vd->cursor_msize = cursor_get_mono_bpl(c) * c->height;
863     vd->cursor_mask = g_malloc0(vd->cursor_msize);
864     cursor_get_mono_mask(c, 0, vd->cursor_mask);
865 
866     QTAILQ_FOREACH(vs, &vd->clients, next) {
867         vnc_cursor_define(vs);
868     }
869 }
870 
871 static int find_and_clear_dirty_height(struct VncState *vs,
872                                        int y, int last_x, int x, int height)
873 {
874     int h;
875 
876     for (h = 1; h < (height - y); h++) {
877         if (!test_bit(last_x, vs->dirty[y + h])) {
878             break;
879         }
880         bitmap_clear(vs->dirty[y + h], last_x, x - last_x);
881     }
882 
883     return h;
884 }
885 
886 static int vnc_update_client(VncState *vs, int has_dirty, bool sync)
887 {
888     if (vs->need_update && vs->csock != -1) {
889         VncDisplay *vd = vs->vd;
890         VncJob *job;
891         int y;
892         int height, width;
893         int n = 0;
894 
895         if (vs->output.offset && !vs->audio_cap && !vs->force_update)
896             /* kernel send buffers are full -> drop frames to throttle */
897             return 0;
898 
899         if (!has_dirty && !vs->audio_cap && !vs->force_update)
900             return 0;
901 
902         /*
903          * Send screen updates to the vnc client using the server
904          * surface and server dirty map.  guest surface updates
905          * happening in parallel don't disturb us, the next pass will
906          * send them to the client.
907          */
908         job = vnc_job_new(vs);
909 
910         height = MIN(pixman_image_get_height(vd->server), vs->client_height);
911         width = MIN(pixman_image_get_width(vd->server), vs->client_width);
912 
913         y = 0;
914         for (;;) {
915             int x, h;
916             unsigned long x2;
917             unsigned long offset = find_next_bit((unsigned long *) &vs->dirty,
918                                                  height * VNC_DIRTY_BPL(vs),
919                                                  y * VNC_DIRTY_BPL(vs));
920             if (offset == height * VNC_DIRTY_BPL(vs)) {
921                 /* no more dirty bits */
922                 break;
923             }
924             y = offset / VNC_DIRTY_BPL(vs);
925             x = offset % VNC_DIRTY_BPL(vs);
926             x2 = find_next_zero_bit((unsigned long *) &vs->dirty[y],
927                                     VNC_DIRTY_BPL(vs), x);
928             bitmap_clear(vs->dirty[y], x, x2 - x);
929             h = find_and_clear_dirty_height(vs, y, x, x2, height);
930             x2 = MIN(x2, width / VNC_DIRTY_PIXELS_PER_BIT);
931             if (x2 > x) {
932                 n += vnc_job_add_rect(job, x * VNC_DIRTY_PIXELS_PER_BIT, y,
933                                       (x2 - x) * VNC_DIRTY_PIXELS_PER_BIT, h);
934             }
935         }
936 
937         vnc_job_push(job);
938         vs->force_update = 0;
939         return n;
940     }
941 
942     if (vs->csock == -1) {
943         vnc_disconnect_finish(vs);
944     } else if (sync) {
945         vnc_jobs_join(vs);
946     }
947 
948     return 0;
949 }
950 
951 /* audio */
952 static void audio_capture_notify(void *opaque, audcnotification_e cmd)
953 {
954     VncState *vs = opaque;
955 
956     switch (cmd) {
957     case AUD_CNOTIFY_DISABLE:
958         vnc_lock_output(vs);
959         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
960         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
961         vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_END);
962         vnc_unlock_output(vs);
963         vnc_flush(vs);
964         break;
965 
966     case AUD_CNOTIFY_ENABLE:
967         vnc_lock_output(vs);
968         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
969         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
970         vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_BEGIN);
971         vnc_unlock_output(vs);
972         vnc_flush(vs);
973         break;
974     }
975 }
976 
977 static void audio_capture_destroy(void *opaque)
978 {
979 }
980 
981 static void audio_capture(void *opaque, void *buf, int size)
982 {
983     VncState *vs = opaque;
984 
985     vnc_lock_output(vs);
986     vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
987     vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
988     vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_DATA);
989     vnc_write_u32(vs, size);
990     vnc_write(vs, buf, size);
991     vnc_unlock_output(vs);
992     vnc_flush(vs);
993 }
994 
995 static void audio_add(VncState *vs)
996 {
997     struct audio_capture_ops ops;
998 
999     if (vs->audio_cap) {
1000         error_report("audio already running");
1001         return;
1002     }
1003 
1004     ops.notify = audio_capture_notify;
1005     ops.destroy = audio_capture_destroy;
1006     ops.capture = audio_capture;
1007 
1008     vs->audio_cap = AUD_add_capture(&vs->as, &ops, vs);
1009     if (!vs->audio_cap) {
1010         error_report("Failed to add audio capture");
1011     }
1012 }
1013 
1014 static void audio_del(VncState *vs)
1015 {
1016     if (vs->audio_cap) {
1017         AUD_del_capture(vs->audio_cap, vs);
1018         vs->audio_cap = NULL;
1019     }
1020 }
1021 
1022 static void vnc_disconnect_start(VncState *vs)
1023 {
1024     if (vs->csock == -1)
1025         return;
1026     vnc_set_share_mode(vs, VNC_SHARE_MODE_DISCONNECTED);
1027     qemu_set_fd_handler2(vs->csock, NULL, NULL, NULL, NULL);
1028     closesocket(vs->csock);
1029     vs->csock = -1;
1030 }
1031 
1032 void vnc_disconnect_finish(VncState *vs)
1033 {
1034     int i;
1035 
1036     vnc_jobs_join(vs); /* Wait encoding jobs */
1037 
1038     vnc_lock_output(vs);
1039     vnc_qmp_event(vs, QEVENT_VNC_DISCONNECTED);
1040 
1041     buffer_free(&vs->input);
1042     buffer_free(&vs->output);
1043 #ifdef CONFIG_VNC_WS
1044     buffer_free(&vs->ws_input);
1045     buffer_free(&vs->ws_output);
1046 #endif /* CONFIG_VNC_WS */
1047 
1048     qobject_decref(vs->info);
1049 
1050     vnc_zlib_clear(vs);
1051     vnc_tight_clear(vs);
1052     vnc_zrle_clear(vs);
1053 
1054 #ifdef CONFIG_VNC_TLS
1055     vnc_tls_client_cleanup(vs);
1056 #endif /* CONFIG_VNC_TLS */
1057 #ifdef CONFIG_VNC_SASL
1058     vnc_sasl_client_cleanup(vs);
1059 #endif /* CONFIG_VNC_SASL */
1060     audio_del(vs);
1061     vnc_release_modifiers(vs);
1062 
1063     if (vs->initialized) {
1064         QTAILQ_REMOVE(&vs->vd->clients, vs, next);
1065         qemu_remove_mouse_mode_change_notifier(&vs->mouse_mode_notifier);
1066     }
1067 
1068     if (vs->vd->lock_key_sync)
1069         qemu_remove_led_event_handler(vs->led);
1070     vnc_unlock_output(vs);
1071 
1072     qemu_mutex_destroy(&vs->output_mutex);
1073     if (vs->bh != NULL) {
1074         qemu_bh_delete(vs->bh);
1075     }
1076     buffer_free(&vs->jobs_buffer);
1077 
1078     for (i = 0; i < VNC_STAT_ROWS; ++i) {
1079         g_free(vs->lossy_rect[i]);
1080     }
1081     g_free(vs->lossy_rect);
1082     g_free(vs);
1083 }
1084 
1085 int vnc_client_io_error(VncState *vs, int ret, int last_errno)
1086 {
1087     if (ret == 0 || ret == -1) {
1088         if (ret == -1) {
1089             switch (last_errno) {
1090                 case EINTR:
1091                 case EAGAIN:
1092 #ifdef _WIN32
1093                 case WSAEWOULDBLOCK:
1094 #endif
1095                     return 0;
1096                 default:
1097                     break;
1098             }
1099         }
1100 
1101         VNC_DEBUG("Closing down client sock: ret %d, errno %d\n",
1102                   ret, ret < 0 ? last_errno : 0);
1103         vnc_disconnect_start(vs);
1104 
1105         return 0;
1106     }
1107     return ret;
1108 }
1109 
1110 
1111 void vnc_client_error(VncState *vs)
1112 {
1113     VNC_DEBUG("Closing down client sock: protocol error\n");
1114     vnc_disconnect_start(vs);
1115 }
1116 
1117 #ifdef CONFIG_VNC_TLS
1118 static long vnc_client_write_tls(gnutls_session_t *session,
1119                                  const uint8_t *data,
1120                                  size_t datalen)
1121 {
1122     long ret = gnutls_write(*session, data, datalen);
1123     if (ret < 0) {
1124         if (ret == GNUTLS_E_AGAIN) {
1125             errno = EAGAIN;
1126         } else {
1127             errno = EIO;
1128         }
1129         ret = -1;
1130     }
1131     return ret;
1132 }
1133 #endif /* CONFIG_VNC_TLS */
1134 
1135 /*
1136  * Called to write a chunk of data to the client socket. The data may
1137  * be the raw data, or may have already been encoded by SASL.
1138  * The data will be written either straight onto the socket, or
1139  * written via the GNUTLS wrappers, if TLS/SSL encryption is enabled
1140  *
1141  * NB, it is theoretically possible to have 2 layers of encryption,
1142  * both SASL, and this TLS layer. It is highly unlikely in practice
1143  * though, since SASL encryption will typically be a no-op if TLS
1144  * is active
1145  *
1146  * Returns the number of bytes written, which may be less than
1147  * the requested 'datalen' if the socket would block. Returns
1148  * -1 on error, and disconnects the client socket.
1149  */
1150 long vnc_client_write_buf(VncState *vs, const uint8_t *data, size_t datalen)
1151 {
1152     long ret;
1153 #ifdef CONFIG_VNC_TLS
1154     if (vs->tls.session) {
1155         ret = vnc_client_write_tls(&vs->tls.session, data, datalen);
1156     } else {
1157 #ifdef CONFIG_VNC_WS
1158         if (vs->ws_tls.session) {
1159             ret = vnc_client_write_tls(&vs->ws_tls.session, data, datalen);
1160         } else
1161 #endif /* CONFIG_VNC_WS */
1162 #endif /* CONFIG_VNC_TLS */
1163         {
1164             ret = send(vs->csock, (const void *)data, datalen, 0);
1165         }
1166 #ifdef CONFIG_VNC_TLS
1167     }
1168 #endif /* CONFIG_VNC_TLS */
1169     VNC_DEBUG("Wrote wire %p %zd -> %ld\n", data, datalen, ret);
1170     return vnc_client_io_error(vs, ret, socket_error());
1171 }
1172 
1173 
1174 /*
1175  * Called to write buffered data to the client socket, when not
1176  * using any SASL SSF encryption layers. Will write as much data
1177  * as possible without blocking. If all buffered data is written,
1178  * will switch the FD poll() handler back to read monitoring.
1179  *
1180  * Returns the number of bytes written, which may be less than
1181  * the buffered output data if the socket would block. Returns
1182  * -1 on error, and disconnects the client socket.
1183  */
1184 static long vnc_client_write_plain(VncState *vs)
1185 {
1186     long ret;
1187 
1188 #ifdef CONFIG_VNC_SASL
1189     VNC_DEBUG("Write Plain: Pending output %p size %zd offset %zd. Wait SSF %d\n",
1190               vs->output.buffer, vs->output.capacity, vs->output.offset,
1191               vs->sasl.waitWriteSSF);
1192 
1193     if (vs->sasl.conn &&
1194         vs->sasl.runSSF &&
1195         vs->sasl.waitWriteSSF) {
1196         ret = vnc_client_write_buf(vs, vs->output.buffer, vs->sasl.waitWriteSSF);
1197         if (ret)
1198             vs->sasl.waitWriteSSF -= ret;
1199     } else
1200 #endif /* CONFIG_VNC_SASL */
1201         ret = vnc_client_write_buf(vs, vs->output.buffer, vs->output.offset);
1202     if (!ret)
1203         return 0;
1204 
1205     buffer_advance(&vs->output, ret);
1206 
1207     if (vs->output.offset == 0) {
1208         qemu_set_fd_handler2(vs->csock, NULL, vnc_client_read, NULL, vs);
1209     }
1210 
1211     return ret;
1212 }
1213 
1214 
1215 /*
1216  * First function called whenever there is data to be written to
1217  * the client socket. Will delegate actual work according to whether
1218  * SASL SSF layers are enabled (thus requiring encryption calls)
1219  */
1220 static void vnc_client_write_locked(void *opaque)
1221 {
1222     VncState *vs = opaque;
1223 
1224 #ifdef CONFIG_VNC_SASL
1225     if (vs->sasl.conn &&
1226         vs->sasl.runSSF &&
1227         !vs->sasl.waitWriteSSF) {
1228         vnc_client_write_sasl(vs);
1229     } else
1230 #endif /* CONFIG_VNC_SASL */
1231     {
1232 #ifdef CONFIG_VNC_WS
1233         if (vs->encode_ws) {
1234             vnc_client_write_ws(vs);
1235         } else
1236 #endif /* CONFIG_VNC_WS */
1237         {
1238             vnc_client_write_plain(vs);
1239         }
1240     }
1241 }
1242 
1243 void vnc_client_write(void *opaque)
1244 {
1245     VncState *vs = opaque;
1246 
1247     vnc_lock_output(vs);
1248     if (vs->output.offset
1249 #ifdef CONFIG_VNC_WS
1250             || vs->ws_output.offset
1251 #endif
1252             ) {
1253         vnc_client_write_locked(opaque);
1254     } else if (vs->csock != -1) {
1255         qemu_set_fd_handler2(vs->csock, NULL, vnc_client_read, NULL, vs);
1256     }
1257     vnc_unlock_output(vs);
1258 }
1259 
1260 void vnc_read_when(VncState *vs, VncReadEvent *func, size_t expecting)
1261 {
1262     vs->read_handler = func;
1263     vs->read_handler_expect = expecting;
1264 }
1265 
1266 #ifdef CONFIG_VNC_TLS
1267 static long vnc_client_read_tls(gnutls_session_t *session, uint8_t *data,
1268                                 size_t datalen)
1269 {
1270     long ret = gnutls_read(*session, data, datalen);
1271     if (ret < 0) {
1272         if (ret == GNUTLS_E_AGAIN) {
1273             errno = EAGAIN;
1274         } else {
1275             errno = EIO;
1276         }
1277         ret = -1;
1278     }
1279     return ret;
1280 }
1281 #endif /* CONFIG_VNC_TLS */
1282 
1283 /*
1284  * Called to read a chunk of data from the client socket. The data may
1285  * be the raw data, or may need to be further decoded by SASL.
1286  * The data will be read either straight from to the socket, or
1287  * read via the GNUTLS wrappers, if TLS/SSL encryption is enabled
1288  *
1289  * NB, it is theoretically possible to have 2 layers of encryption,
1290  * both SASL, and this TLS layer. It is highly unlikely in practice
1291  * though, since SASL encryption will typically be a no-op if TLS
1292  * is active
1293  *
1294  * Returns the number of bytes read, which may be less than
1295  * the requested 'datalen' if the socket would block. Returns
1296  * -1 on error, and disconnects the client socket.
1297  */
1298 long vnc_client_read_buf(VncState *vs, uint8_t *data, size_t datalen)
1299 {
1300     long ret;
1301 #ifdef CONFIG_VNC_TLS
1302     if (vs->tls.session) {
1303         ret = vnc_client_read_tls(&vs->tls.session, data, datalen);
1304     } else {
1305 #ifdef CONFIG_VNC_WS
1306         if (vs->ws_tls.session) {
1307             ret = vnc_client_read_tls(&vs->ws_tls.session, data, datalen);
1308         } else
1309 #endif /* CONFIG_VNC_WS */
1310 #endif /* CONFIG_VNC_TLS */
1311         {
1312             ret = qemu_recv(vs->csock, data, datalen, 0);
1313         }
1314 #ifdef CONFIG_VNC_TLS
1315     }
1316 #endif /* CONFIG_VNC_TLS */
1317     VNC_DEBUG("Read wire %p %zd -> %ld\n", data, datalen, ret);
1318     return vnc_client_io_error(vs, ret, socket_error());
1319 }
1320 
1321 
1322 /*
1323  * Called to read data from the client socket to the input buffer,
1324  * when not using any SASL SSF encryption layers. Will read as much
1325  * data as possible without blocking.
1326  *
1327  * Returns the number of bytes read. Returns -1 on error, and
1328  * disconnects the client socket.
1329  */
1330 static long vnc_client_read_plain(VncState *vs)
1331 {
1332     int ret;
1333     VNC_DEBUG("Read plain %p size %zd offset %zd\n",
1334               vs->input.buffer, vs->input.capacity, vs->input.offset);
1335     buffer_reserve(&vs->input, 4096);
1336     ret = vnc_client_read_buf(vs, buffer_end(&vs->input), 4096);
1337     if (!ret)
1338         return 0;
1339     vs->input.offset += ret;
1340     return ret;
1341 }
1342 
1343 static void vnc_jobs_bh(void *opaque)
1344 {
1345     VncState *vs = opaque;
1346 
1347     vnc_jobs_consume_buffer(vs);
1348 }
1349 
1350 /*
1351  * First function called whenever there is more data to be read from
1352  * the client socket. Will delegate actual work according to whether
1353  * SASL SSF layers are enabled (thus requiring decryption calls)
1354  */
1355 void vnc_client_read(void *opaque)
1356 {
1357     VncState *vs = opaque;
1358     long ret;
1359 
1360 #ifdef CONFIG_VNC_SASL
1361     if (vs->sasl.conn && vs->sasl.runSSF)
1362         ret = vnc_client_read_sasl(vs);
1363     else
1364 #endif /* CONFIG_VNC_SASL */
1365 #ifdef CONFIG_VNC_WS
1366         if (vs->encode_ws) {
1367             ret = vnc_client_read_ws(vs);
1368             if (ret == -1) {
1369                 vnc_disconnect_start(vs);
1370                 return;
1371             } else if (ret == -2) {
1372                 vnc_client_error(vs);
1373                 return;
1374             }
1375         } else
1376 #endif /* CONFIG_VNC_WS */
1377         {
1378         ret = vnc_client_read_plain(vs);
1379         }
1380     if (!ret) {
1381         if (vs->csock == -1)
1382             vnc_disconnect_finish(vs);
1383         return;
1384     }
1385 
1386     while (vs->read_handler && vs->input.offset >= vs->read_handler_expect) {
1387         size_t len = vs->read_handler_expect;
1388         int ret;
1389 
1390         ret = vs->read_handler(vs, vs->input.buffer, len);
1391         if (vs->csock == -1) {
1392             vnc_disconnect_finish(vs);
1393             return;
1394         }
1395 
1396         if (!ret) {
1397             buffer_advance(&vs->input, len);
1398         } else {
1399             vs->read_handler_expect = ret;
1400         }
1401     }
1402 }
1403 
1404 void vnc_write(VncState *vs, const void *data, size_t len)
1405 {
1406     buffer_reserve(&vs->output, len);
1407 
1408     if (vs->csock != -1 && buffer_empty(&vs->output)) {
1409         qemu_set_fd_handler2(vs->csock, NULL, vnc_client_read, vnc_client_write, vs);
1410     }
1411 
1412     buffer_append(&vs->output, data, len);
1413 }
1414 
1415 void vnc_write_s32(VncState *vs, int32_t value)
1416 {
1417     vnc_write_u32(vs, *(uint32_t *)&value);
1418 }
1419 
1420 void vnc_write_u32(VncState *vs, uint32_t value)
1421 {
1422     uint8_t buf[4];
1423 
1424     buf[0] = (value >> 24) & 0xFF;
1425     buf[1] = (value >> 16) & 0xFF;
1426     buf[2] = (value >>  8) & 0xFF;
1427     buf[3] = value & 0xFF;
1428 
1429     vnc_write(vs, buf, 4);
1430 }
1431 
1432 void vnc_write_u16(VncState *vs, uint16_t value)
1433 {
1434     uint8_t buf[2];
1435 
1436     buf[0] = (value >> 8) & 0xFF;
1437     buf[1] = value & 0xFF;
1438 
1439     vnc_write(vs, buf, 2);
1440 }
1441 
1442 void vnc_write_u8(VncState *vs, uint8_t value)
1443 {
1444     vnc_write(vs, (char *)&value, 1);
1445 }
1446 
1447 void vnc_flush(VncState *vs)
1448 {
1449     vnc_lock_output(vs);
1450     if (vs->csock != -1 && (vs->output.offset
1451 #ifdef CONFIG_VNC_WS
1452                 || vs->ws_output.offset
1453 #endif
1454                 )) {
1455         vnc_client_write_locked(vs);
1456     }
1457     vnc_unlock_output(vs);
1458 }
1459 
1460 static uint8_t read_u8(uint8_t *data, size_t offset)
1461 {
1462     return data[offset];
1463 }
1464 
1465 static uint16_t read_u16(uint8_t *data, size_t offset)
1466 {
1467     return ((data[offset] & 0xFF) << 8) | (data[offset + 1] & 0xFF);
1468 }
1469 
1470 static int32_t read_s32(uint8_t *data, size_t offset)
1471 {
1472     return (int32_t)((data[offset] << 24) | (data[offset + 1] << 16) |
1473                      (data[offset + 2] << 8) | data[offset + 3]);
1474 }
1475 
1476 uint32_t read_u32(uint8_t *data, size_t offset)
1477 {
1478     return ((data[offset] << 24) | (data[offset + 1] << 16) |
1479             (data[offset + 2] << 8) | data[offset + 3]);
1480 }
1481 
1482 static void client_cut_text(VncState *vs, size_t len, uint8_t *text)
1483 {
1484 }
1485 
1486 static void check_pointer_type_change(Notifier *notifier, void *data)
1487 {
1488     VncState *vs = container_of(notifier, VncState, mouse_mode_notifier);
1489     int absolute = qemu_input_is_absolute();
1490 
1491     if (vnc_has_feature(vs, VNC_FEATURE_POINTER_TYPE_CHANGE) && vs->absolute != absolute) {
1492         vnc_lock_output(vs);
1493         vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1494         vnc_write_u8(vs, 0);
1495         vnc_write_u16(vs, 1);
1496         vnc_framebuffer_update(vs, absolute, 0,
1497                                surface_width(vs->vd->ds),
1498                                surface_height(vs->vd->ds),
1499                                VNC_ENCODING_POINTER_TYPE_CHANGE);
1500         vnc_unlock_output(vs);
1501         vnc_flush(vs);
1502     }
1503     vs->absolute = absolute;
1504 }
1505 
1506 static void pointer_event(VncState *vs, int button_mask, int x, int y)
1507 {
1508     static uint32_t bmap[INPUT_BUTTON_MAX] = {
1509         [INPUT_BUTTON_LEFT]       = 0x01,
1510         [INPUT_BUTTON_MIDDLE]     = 0x02,
1511         [INPUT_BUTTON_RIGHT]      = 0x04,
1512         [INPUT_BUTTON_WHEEL_UP]   = 0x08,
1513         [INPUT_BUTTON_WHEEL_DOWN] = 0x10,
1514     };
1515     QemuConsole *con = vs->vd->dcl.con;
1516     int width = surface_width(vs->vd->ds);
1517     int height = surface_height(vs->vd->ds);
1518 
1519     if (vs->last_bmask != button_mask) {
1520         qemu_input_update_buttons(con, bmap, vs->last_bmask, button_mask);
1521         vs->last_bmask = button_mask;
1522     }
1523 
1524     if (vs->absolute) {
1525         qemu_input_queue_abs(con, INPUT_AXIS_X, x, width);
1526         qemu_input_queue_abs(con, INPUT_AXIS_Y, y, height);
1527     } else if (vnc_has_feature(vs, VNC_FEATURE_POINTER_TYPE_CHANGE)) {
1528         qemu_input_queue_rel(con, INPUT_AXIS_X, x - 0x7FFF);
1529         qemu_input_queue_rel(con, INPUT_AXIS_Y, y - 0x7FFF);
1530     } else {
1531         if (vs->last_x != -1) {
1532             qemu_input_queue_rel(con, INPUT_AXIS_X, x - vs->last_x);
1533             qemu_input_queue_rel(con, INPUT_AXIS_Y, y - vs->last_y);
1534         }
1535         vs->last_x = x;
1536         vs->last_y = y;
1537     }
1538     qemu_input_event_sync();
1539 }
1540 
1541 static void reset_keys(VncState *vs)
1542 {
1543     int i;
1544     for(i = 0; i < 256; i++) {
1545         if (vs->modifiers_state[i]) {
1546             qemu_input_event_send_key_number(vs->vd->dcl.con, i, false);
1547             vs->modifiers_state[i] = 0;
1548         }
1549     }
1550 }
1551 
1552 static void press_key(VncState *vs, int keysym)
1553 {
1554     int keycode = keysym2scancode(vs->vd->kbd_layout, keysym) & SCANCODE_KEYMASK;
1555     qemu_input_event_send_key_number(vs->vd->dcl.con, keycode, true);
1556     qemu_input_event_send_key_delay(0);
1557     qemu_input_event_send_key_number(vs->vd->dcl.con, keycode, false);
1558     qemu_input_event_send_key_delay(0);
1559 }
1560 
1561 static int current_led_state(VncState *vs)
1562 {
1563     int ledstate = 0;
1564 
1565     if (vs->modifiers_state[0x46]) {
1566         ledstate |= QEMU_SCROLL_LOCK_LED;
1567     }
1568     if (vs->modifiers_state[0x45]) {
1569         ledstate |= QEMU_NUM_LOCK_LED;
1570     }
1571     if (vs->modifiers_state[0x3a]) {
1572         ledstate |= QEMU_CAPS_LOCK_LED;
1573     }
1574 
1575     return ledstate;
1576 }
1577 
1578 static void vnc_led_state_change(VncState *vs)
1579 {
1580     int ledstate = 0;
1581 
1582     if (!vnc_has_feature(vs, VNC_FEATURE_LED_STATE)) {
1583         return;
1584     }
1585 
1586     ledstate = current_led_state(vs);
1587     vnc_lock_output(vs);
1588     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1589     vnc_write_u8(vs, 0);
1590     vnc_write_u16(vs, 1);
1591     vnc_framebuffer_update(vs, 0, 0, 1, 1, VNC_ENCODING_LED_STATE);
1592     vnc_write_u8(vs, ledstate);
1593     vnc_unlock_output(vs);
1594     vnc_flush(vs);
1595 }
1596 
1597 static void kbd_leds(void *opaque, int ledstate)
1598 {
1599     VncState *vs = opaque;
1600     int caps, num, scr;
1601     bool has_changed = (ledstate != current_led_state(vs));
1602 
1603     trace_vnc_key_guest_leds((ledstate & QEMU_CAPS_LOCK_LED),
1604                              (ledstate & QEMU_NUM_LOCK_LED),
1605                              (ledstate & QEMU_SCROLL_LOCK_LED));
1606 
1607     caps = ledstate & QEMU_CAPS_LOCK_LED ? 1 : 0;
1608     num  = ledstate & QEMU_NUM_LOCK_LED  ? 1 : 0;
1609     scr  = ledstate & QEMU_SCROLL_LOCK_LED ? 1 : 0;
1610 
1611     if (vs->modifiers_state[0x3a] != caps) {
1612         vs->modifiers_state[0x3a] = caps;
1613     }
1614     if (vs->modifiers_state[0x45] != num) {
1615         vs->modifiers_state[0x45] = num;
1616     }
1617     if (vs->modifiers_state[0x46] != scr) {
1618         vs->modifiers_state[0x46] = scr;
1619     }
1620 
1621     /* Sending the current led state message to the client */
1622     if (has_changed) {
1623         vnc_led_state_change(vs);
1624     }
1625 }
1626 
1627 static void do_key_event(VncState *vs, int down, int keycode, int sym)
1628 {
1629     /* QEMU console switch */
1630     switch(keycode) {
1631     case 0x2a:                          /* Left Shift */
1632     case 0x36:                          /* Right Shift */
1633     case 0x1d:                          /* Left CTRL */
1634     case 0x9d:                          /* Right CTRL */
1635     case 0x38:                          /* Left ALT */
1636     case 0xb8:                          /* Right ALT */
1637         if (down)
1638             vs->modifiers_state[keycode] = 1;
1639         else
1640             vs->modifiers_state[keycode] = 0;
1641         break;
1642     case 0x02 ... 0x0a: /* '1' to '9' keys */
1643         if (down && vs->modifiers_state[0x1d] && vs->modifiers_state[0x38]) {
1644             /* Reset the modifiers sent to the current console */
1645             reset_keys(vs);
1646             console_select(keycode - 0x02);
1647             return;
1648         }
1649         break;
1650     case 0x3a:                        /* CapsLock */
1651     case 0x45:                        /* NumLock */
1652         if (down)
1653             vs->modifiers_state[keycode] ^= 1;
1654         break;
1655     }
1656 
1657     /* Turn off the lock state sync logic if the client support the led
1658        state extension.
1659     */
1660     if (down && vs->vd->lock_key_sync &&
1661         !vnc_has_feature(vs, VNC_FEATURE_LED_STATE) &&
1662         keycode_is_keypad(vs->vd->kbd_layout, keycode)) {
1663         /* If the numlock state needs to change then simulate an additional
1664            keypress before sending this one.  This will happen if the user
1665            toggles numlock away from the VNC window.
1666         */
1667         if (keysym_is_numlock(vs->vd->kbd_layout, sym & 0xFFFF)) {
1668             if (!vs->modifiers_state[0x45]) {
1669                 trace_vnc_key_sync_numlock(true);
1670                 vs->modifiers_state[0x45] = 1;
1671                 press_key(vs, 0xff7f);
1672             }
1673         } else {
1674             if (vs->modifiers_state[0x45]) {
1675                 trace_vnc_key_sync_numlock(false);
1676                 vs->modifiers_state[0x45] = 0;
1677                 press_key(vs, 0xff7f);
1678             }
1679         }
1680     }
1681 
1682     if (down && vs->vd->lock_key_sync &&
1683         !vnc_has_feature(vs, VNC_FEATURE_LED_STATE) &&
1684         ((sym >= 'A' && sym <= 'Z') || (sym >= 'a' && sym <= 'z'))) {
1685         /* If the capslock state needs to change then simulate an additional
1686            keypress before sending this one.  This will happen if the user
1687            toggles capslock away from the VNC window.
1688         */
1689         int uppercase = !!(sym >= 'A' && sym <= 'Z');
1690         int shift = !!(vs->modifiers_state[0x2a] | vs->modifiers_state[0x36]);
1691         int capslock = !!(vs->modifiers_state[0x3a]);
1692         if (capslock) {
1693             if (uppercase == shift) {
1694                 trace_vnc_key_sync_capslock(false);
1695                 vs->modifiers_state[0x3a] = 0;
1696                 press_key(vs, 0xffe5);
1697             }
1698         } else {
1699             if (uppercase != shift) {
1700                 trace_vnc_key_sync_capslock(true);
1701                 vs->modifiers_state[0x3a] = 1;
1702                 press_key(vs, 0xffe5);
1703             }
1704         }
1705     }
1706 
1707     if (qemu_console_is_graphic(NULL)) {
1708         qemu_input_event_send_key_number(vs->vd->dcl.con, keycode, down);
1709     } else {
1710         bool numlock = vs->modifiers_state[0x45];
1711         bool control = (vs->modifiers_state[0x1d] ||
1712                         vs->modifiers_state[0x9d]);
1713         /* QEMU console emulation */
1714         if (down) {
1715             switch (keycode) {
1716             case 0x2a:                          /* Left Shift */
1717             case 0x36:                          /* Right Shift */
1718             case 0x1d:                          /* Left CTRL */
1719             case 0x9d:                          /* Right CTRL */
1720             case 0x38:                          /* Left ALT */
1721             case 0xb8:                          /* Right ALT */
1722                 break;
1723             case 0xc8:
1724                 kbd_put_keysym(QEMU_KEY_UP);
1725                 break;
1726             case 0xd0:
1727                 kbd_put_keysym(QEMU_KEY_DOWN);
1728                 break;
1729             case 0xcb:
1730                 kbd_put_keysym(QEMU_KEY_LEFT);
1731                 break;
1732             case 0xcd:
1733                 kbd_put_keysym(QEMU_KEY_RIGHT);
1734                 break;
1735             case 0xd3:
1736                 kbd_put_keysym(QEMU_KEY_DELETE);
1737                 break;
1738             case 0xc7:
1739                 kbd_put_keysym(QEMU_KEY_HOME);
1740                 break;
1741             case 0xcf:
1742                 kbd_put_keysym(QEMU_KEY_END);
1743                 break;
1744             case 0xc9:
1745                 kbd_put_keysym(QEMU_KEY_PAGEUP);
1746                 break;
1747             case 0xd1:
1748                 kbd_put_keysym(QEMU_KEY_PAGEDOWN);
1749                 break;
1750 
1751             case 0x47:
1752                 kbd_put_keysym(numlock ? '7' : QEMU_KEY_HOME);
1753                 break;
1754             case 0x48:
1755                 kbd_put_keysym(numlock ? '8' : QEMU_KEY_UP);
1756                 break;
1757             case 0x49:
1758                 kbd_put_keysym(numlock ? '9' : QEMU_KEY_PAGEUP);
1759                 break;
1760             case 0x4b:
1761                 kbd_put_keysym(numlock ? '4' : QEMU_KEY_LEFT);
1762                 break;
1763             case 0x4c:
1764                 kbd_put_keysym('5');
1765                 break;
1766             case 0x4d:
1767                 kbd_put_keysym(numlock ? '6' : QEMU_KEY_RIGHT);
1768                 break;
1769             case 0x4f:
1770                 kbd_put_keysym(numlock ? '1' : QEMU_KEY_END);
1771                 break;
1772             case 0x50:
1773                 kbd_put_keysym(numlock ? '2' : QEMU_KEY_DOWN);
1774                 break;
1775             case 0x51:
1776                 kbd_put_keysym(numlock ? '3' : QEMU_KEY_PAGEDOWN);
1777                 break;
1778             case 0x52:
1779                 kbd_put_keysym('0');
1780                 break;
1781             case 0x53:
1782                 kbd_put_keysym(numlock ? '.' : QEMU_KEY_DELETE);
1783                 break;
1784 
1785             case 0xb5:
1786                 kbd_put_keysym('/');
1787                 break;
1788             case 0x37:
1789                 kbd_put_keysym('*');
1790                 break;
1791             case 0x4a:
1792                 kbd_put_keysym('-');
1793                 break;
1794             case 0x4e:
1795                 kbd_put_keysym('+');
1796                 break;
1797             case 0x9c:
1798                 kbd_put_keysym('\n');
1799                 break;
1800 
1801             default:
1802                 if (control) {
1803                     kbd_put_keysym(sym & 0x1f);
1804                 } else {
1805                     kbd_put_keysym(sym);
1806                 }
1807                 break;
1808             }
1809         }
1810     }
1811 }
1812 
1813 static void vnc_release_modifiers(VncState *vs)
1814 {
1815     static const int keycodes[] = {
1816         /* shift, control, alt keys, both left & right */
1817         0x2a, 0x36, 0x1d, 0x9d, 0x38, 0xb8,
1818     };
1819     int i, keycode;
1820 
1821     if (!qemu_console_is_graphic(NULL)) {
1822         return;
1823     }
1824     for (i = 0; i < ARRAY_SIZE(keycodes); i++) {
1825         keycode = keycodes[i];
1826         if (!vs->modifiers_state[keycode]) {
1827             continue;
1828         }
1829         qemu_input_event_send_key_number(vs->vd->dcl.con, keycode, false);
1830     }
1831 }
1832 
1833 static const char *code2name(int keycode)
1834 {
1835     return QKeyCode_lookup[qemu_input_key_number_to_qcode(keycode)];
1836 }
1837 
1838 static void key_event(VncState *vs, int down, uint32_t sym)
1839 {
1840     int keycode;
1841     int lsym = sym;
1842 
1843     if (lsym >= 'A' && lsym <= 'Z' && qemu_console_is_graphic(NULL)) {
1844         lsym = lsym - 'A' + 'a';
1845     }
1846 
1847     keycode = keysym2scancode(vs->vd->kbd_layout, lsym & 0xFFFF) & SCANCODE_KEYMASK;
1848     trace_vnc_key_event_map(down, sym, keycode, code2name(keycode));
1849     do_key_event(vs, down, keycode, sym);
1850 }
1851 
1852 static void ext_key_event(VncState *vs, int down,
1853                           uint32_t sym, uint16_t keycode)
1854 {
1855     /* if the user specifies a keyboard layout, always use it */
1856     if (keyboard_layout) {
1857         key_event(vs, down, sym);
1858     } else {
1859         trace_vnc_key_event_ext(down, sym, keycode, code2name(keycode));
1860         do_key_event(vs, down, keycode, sym);
1861     }
1862 }
1863 
1864 static void framebuffer_update_request(VncState *vs, int incremental,
1865                                        int x_position, int y_position,
1866                                        int w, int h)
1867 {
1868     int i;
1869     const size_t width = surface_width(vs->vd->ds) / VNC_DIRTY_PIXELS_PER_BIT;
1870     const size_t height = surface_height(vs->vd->ds);
1871 
1872     if (y_position > height) {
1873         y_position = height;
1874     }
1875     if (y_position + h >= height) {
1876         h = height - y_position;
1877     }
1878 
1879     vs->need_update = 1;
1880     if (!incremental) {
1881         vs->force_update = 1;
1882         for (i = 0; i < h; i++) {
1883             bitmap_set(vs->dirty[y_position + i], 0, width);
1884             bitmap_clear(vs->dirty[y_position + i], width,
1885                          VNC_DIRTY_BITS - width);
1886         }
1887     }
1888 }
1889 
1890 static void send_ext_key_event_ack(VncState *vs)
1891 {
1892     vnc_lock_output(vs);
1893     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1894     vnc_write_u8(vs, 0);
1895     vnc_write_u16(vs, 1);
1896     vnc_framebuffer_update(vs, 0, 0,
1897                            surface_width(vs->vd->ds),
1898                            surface_height(vs->vd->ds),
1899                            VNC_ENCODING_EXT_KEY_EVENT);
1900     vnc_unlock_output(vs);
1901     vnc_flush(vs);
1902 }
1903 
1904 static void send_ext_audio_ack(VncState *vs)
1905 {
1906     vnc_lock_output(vs);
1907     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1908     vnc_write_u8(vs, 0);
1909     vnc_write_u16(vs, 1);
1910     vnc_framebuffer_update(vs, 0, 0,
1911                            surface_width(vs->vd->ds),
1912                            surface_height(vs->vd->ds),
1913                            VNC_ENCODING_AUDIO);
1914     vnc_unlock_output(vs);
1915     vnc_flush(vs);
1916 }
1917 
1918 static void set_encodings(VncState *vs, int32_t *encodings, size_t n_encodings)
1919 {
1920     int i;
1921     unsigned int enc = 0;
1922 
1923     vs->features = 0;
1924     vs->vnc_encoding = 0;
1925     vs->tight.compression = 9;
1926     vs->tight.quality = -1; /* Lossless by default */
1927     vs->absolute = -1;
1928 
1929     /*
1930      * Start from the end because the encodings are sent in order of preference.
1931      * This way the preferred encoding (first encoding defined in the array)
1932      * will be set at the end of the loop.
1933      */
1934     for (i = n_encodings - 1; i >= 0; i--) {
1935         enc = encodings[i];
1936         switch (enc) {
1937         case VNC_ENCODING_RAW:
1938             vs->vnc_encoding = enc;
1939             break;
1940         case VNC_ENCODING_COPYRECT:
1941             vs->features |= VNC_FEATURE_COPYRECT_MASK;
1942             break;
1943         case VNC_ENCODING_HEXTILE:
1944             vs->features |= VNC_FEATURE_HEXTILE_MASK;
1945             vs->vnc_encoding = enc;
1946             break;
1947         case VNC_ENCODING_TIGHT:
1948             vs->features |= VNC_FEATURE_TIGHT_MASK;
1949             vs->vnc_encoding = enc;
1950             break;
1951 #ifdef CONFIG_VNC_PNG
1952         case VNC_ENCODING_TIGHT_PNG:
1953             vs->features |= VNC_FEATURE_TIGHT_PNG_MASK;
1954             vs->vnc_encoding = enc;
1955             break;
1956 #endif
1957         case VNC_ENCODING_ZLIB:
1958             vs->features |= VNC_FEATURE_ZLIB_MASK;
1959             vs->vnc_encoding = enc;
1960             break;
1961         case VNC_ENCODING_ZRLE:
1962             vs->features |= VNC_FEATURE_ZRLE_MASK;
1963             vs->vnc_encoding = enc;
1964             break;
1965         case VNC_ENCODING_ZYWRLE:
1966             vs->features |= VNC_FEATURE_ZYWRLE_MASK;
1967             vs->vnc_encoding = enc;
1968             break;
1969         case VNC_ENCODING_DESKTOPRESIZE:
1970             vs->features |= VNC_FEATURE_RESIZE_MASK;
1971             break;
1972         case VNC_ENCODING_POINTER_TYPE_CHANGE:
1973             vs->features |= VNC_FEATURE_POINTER_TYPE_CHANGE_MASK;
1974             break;
1975         case VNC_ENCODING_RICH_CURSOR:
1976             vs->features |= VNC_FEATURE_RICH_CURSOR_MASK;
1977             break;
1978         case VNC_ENCODING_EXT_KEY_EVENT:
1979             send_ext_key_event_ack(vs);
1980             break;
1981         case VNC_ENCODING_AUDIO:
1982             send_ext_audio_ack(vs);
1983             break;
1984         case VNC_ENCODING_WMVi:
1985             vs->features |= VNC_FEATURE_WMVI_MASK;
1986             break;
1987         case VNC_ENCODING_LED_STATE:
1988             vs->features |= VNC_FEATURE_LED_STATE_MASK;
1989             break;
1990         case VNC_ENCODING_COMPRESSLEVEL0 ... VNC_ENCODING_COMPRESSLEVEL0 + 9:
1991             vs->tight.compression = (enc & 0x0F);
1992             break;
1993         case VNC_ENCODING_QUALITYLEVEL0 ... VNC_ENCODING_QUALITYLEVEL0 + 9:
1994             if (vs->vd->lossy) {
1995                 vs->tight.quality = (enc & 0x0F);
1996             }
1997             break;
1998         default:
1999             VNC_DEBUG("Unknown encoding: %d (0x%.8x): %d\n", i, enc, enc);
2000             break;
2001         }
2002     }
2003     vnc_desktop_resize(vs);
2004     check_pointer_type_change(&vs->mouse_mode_notifier, NULL);
2005     vnc_led_state_change(vs);
2006 }
2007 
2008 static void set_pixel_conversion(VncState *vs)
2009 {
2010     pixman_format_code_t fmt = qemu_pixman_get_format(&vs->client_pf);
2011 
2012     if (fmt == VNC_SERVER_FB_FORMAT) {
2013         vs->write_pixels = vnc_write_pixels_copy;
2014         vnc_hextile_set_pixel_conversion(vs, 0);
2015     } else {
2016         vs->write_pixels = vnc_write_pixels_generic;
2017         vnc_hextile_set_pixel_conversion(vs, 1);
2018     }
2019 }
2020 
2021 static void set_pixel_format(VncState *vs,
2022                              int bits_per_pixel, int depth,
2023                              int big_endian_flag, int true_color_flag,
2024                              int red_max, int green_max, int blue_max,
2025                              int red_shift, int green_shift, int blue_shift)
2026 {
2027     if (!true_color_flag) {
2028         vnc_client_error(vs);
2029         return;
2030     }
2031 
2032     vs->client_pf.rmax = red_max;
2033     vs->client_pf.rbits = hweight_long(red_max);
2034     vs->client_pf.rshift = red_shift;
2035     vs->client_pf.rmask = red_max << red_shift;
2036     vs->client_pf.gmax = green_max;
2037     vs->client_pf.gbits = hweight_long(green_max);
2038     vs->client_pf.gshift = green_shift;
2039     vs->client_pf.gmask = green_max << green_shift;
2040     vs->client_pf.bmax = blue_max;
2041     vs->client_pf.bbits = hweight_long(blue_max);
2042     vs->client_pf.bshift = blue_shift;
2043     vs->client_pf.bmask = blue_max << blue_shift;
2044     vs->client_pf.bits_per_pixel = bits_per_pixel;
2045     vs->client_pf.bytes_per_pixel = bits_per_pixel / 8;
2046     vs->client_pf.depth = bits_per_pixel == 32 ? 24 : bits_per_pixel;
2047     vs->client_be = big_endian_flag;
2048 
2049     set_pixel_conversion(vs);
2050 
2051     graphic_hw_invalidate(NULL);
2052     graphic_hw_update(NULL);
2053 }
2054 
2055 static void pixel_format_message (VncState *vs) {
2056     char pad[3] = { 0, 0, 0 };
2057 
2058     vs->client_pf = qemu_default_pixelformat(32);
2059 
2060     vnc_write_u8(vs, vs->client_pf.bits_per_pixel); /* bits-per-pixel */
2061     vnc_write_u8(vs, vs->client_pf.depth); /* depth */
2062 
2063 #ifdef HOST_WORDS_BIGENDIAN
2064     vnc_write_u8(vs, 1);             /* big-endian-flag */
2065 #else
2066     vnc_write_u8(vs, 0);             /* big-endian-flag */
2067 #endif
2068     vnc_write_u8(vs, 1);             /* true-color-flag */
2069     vnc_write_u16(vs, vs->client_pf.rmax);     /* red-max */
2070     vnc_write_u16(vs, vs->client_pf.gmax);     /* green-max */
2071     vnc_write_u16(vs, vs->client_pf.bmax);     /* blue-max */
2072     vnc_write_u8(vs, vs->client_pf.rshift);    /* red-shift */
2073     vnc_write_u8(vs, vs->client_pf.gshift);    /* green-shift */
2074     vnc_write_u8(vs, vs->client_pf.bshift);    /* blue-shift */
2075     vnc_write(vs, pad, 3);           /* padding */
2076 
2077     vnc_hextile_set_pixel_conversion(vs, 0);
2078     vs->write_pixels = vnc_write_pixels_copy;
2079 }
2080 
2081 static void vnc_colordepth(VncState *vs)
2082 {
2083     if (vnc_has_feature(vs, VNC_FEATURE_WMVI)) {
2084         /* Sending a WMVi message to notify the client*/
2085         vnc_lock_output(vs);
2086         vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
2087         vnc_write_u8(vs, 0);
2088         vnc_write_u16(vs, 1); /* number of rects */
2089         vnc_framebuffer_update(vs, 0, 0,
2090                                surface_width(vs->vd->ds),
2091                                surface_height(vs->vd->ds),
2092                                VNC_ENCODING_WMVi);
2093         pixel_format_message(vs);
2094         vnc_unlock_output(vs);
2095         vnc_flush(vs);
2096     } else {
2097         set_pixel_conversion(vs);
2098     }
2099 }
2100 
2101 static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len)
2102 {
2103     int i;
2104     uint16_t limit;
2105     VncDisplay *vd = vs->vd;
2106 
2107     if (data[0] > 3) {
2108         update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
2109     }
2110 
2111     switch (data[0]) {
2112     case VNC_MSG_CLIENT_SET_PIXEL_FORMAT:
2113         if (len == 1)
2114             return 20;
2115 
2116         set_pixel_format(vs, read_u8(data, 4), read_u8(data, 5),
2117                          read_u8(data, 6), read_u8(data, 7),
2118                          read_u16(data, 8), read_u16(data, 10),
2119                          read_u16(data, 12), read_u8(data, 14),
2120                          read_u8(data, 15), read_u8(data, 16));
2121         break;
2122     case VNC_MSG_CLIENT_SET_ENCODINGS:
2123         if (len == 1)
2124             return 4;
2125 
2126         if (len == 4) {
2127             limit = read_u16(data, 2);
2128             if (limit > 0)
2129                 return 4 + (limit * 4);
2130         } else
2131             limit = read_u16(data, 2);
2132 
2133         for (i = 0; i < limit; i++) {
2134             int32_t val = read_s32(data, 4 + (i * 4));
2135             memcpy(data + 4 + (i * 4), &val, sizeof(val));
2136         }
2137 
2138         set_encodings(vs, (int32_t *)(data + 4), limit);
2139         break;
2140     case VNC_MSG_CLIENT_FRAMEBUFFER_UPDATE_REQUEST:
2141         if (len == 1)
2142             return 10;
2143 
2144         framebuffer_update_request(vs,
2145                                    read_u8(data, 1), read_u16(data, 2), read_u16(data, 4),
2146                                    read_u16(data, 6), read_u16(data, 8));
2147         break;
2148     case VNC_MSG_CLIENT_KEY_EVENT:
2149         if (len == 1)
2150             return 8;
2151 
2152         key_event(vs, read_u8(data, 1), read_u32(data, 4));
2153         break;
2154     case VNC_MSG_CLIENT_POINTER_EVENT:
2155         if (len == 1)
2156             return 6;
2157 
2158         pointer_event(vs, read_u8(data, 1), read_u16(data, 2), read_u16(data, 4));
2159         break;
2160     case VNC_MSG_CLIENT_CUT_TEXT:
2161         if (len == 1)
2162             return 8;
2163 
2164         if (len == 8) {
2165             uint32_t dlen = read_u32(data, 4);
2166             if (dlen > 0)
2167                 return 8 + dlen;
2168         }
2169 
2170         client_cut_text(vs, read_u32(data, 4), data + 8);
2171         break;
2172     case VNC_MSG_CLIENT_QEMU:
2173         if (len == 1)
2174             return 2;
2175 
2176         switch (read_u8(data, 1)) {
2177         case VNC_MSG_CLIENT_QEMU_EXT_KEY_EVENT:
2178             if (len == 2)
2179                 return 12;
2180 
2181             ext_key_event(vs, read_u16(data, 2),
2182                           read_u32(data, 4), read_u32(data, 8));
2183             break;
2184         case VNC_MSG_CLIENT_QEMU_AUDIO:
2185             if (len == 2)
2186                 return 4;
2187 
2188             switch (read_u16 (data, 2)) {
2189             case VNC_MSG_CLIENT_QEMU_AUDIO_ENABLE:
2190                 audio_add(vs);
2191                 break;
2192             case VNC_MSG_CLIENT_QEMU_AUDIO_DISABLE:
2193                 audio_del(vs);
2194                 break;
2195             case VNC_MSG_CLIENT_QEMU_AUDIO_SET_FORMAT:
2196                 if (len == 4)
2197                     return 10;
2198                 switch (read_u8(data, 4)) {
2199                 case 0: vs->as.fmt = AUD_FMT_U8; break;
2200                 case 1: vs->as.fmt = AUD_FMT_S8; break;
2201                 case 2: vs->as.fmt = AUD_FMT_U16; break;
2202                 case 3: vs->as.fmt = AUD_FMT_S16; break;
2203                 case 4: vs->as.fmt = AUD_FMT_U32; break;
2204                 case 5: vs->as.fmt = AUD_FMT_S32; break;
2205                 default:
2206                     printf("Invalid audio format %d\n", read_u8(data, 4));
2207                     vnc_client_error(vs);
2208                     break;
2209                 }
2210                 vs->as.nchannels = read_u8(data, 5);
2211                 if (vs->as.nchannels != 1 && vs->as.nchannels != 2) {
2212                     printf("Invalid audio channel coount %d\n",
2213                            read_u8(data, 5));
2214                     vnc_client_error(vs);
2215                     break;
2216                 }
2217                 vs->as.freq = read_u32(data, 6);
2218                 break;
2219             default:
2220                 printf ("Invalid audio message %d\n", read_u8(data, 4));
2221                 vnc_client_error(vs);
2222                 break;
2223             }
2224             break;
2225 
2226         default:
2227             printf("Msg: %d\n", read_u16(data, 0));
2228             vnc_client_error(vs);
2229             break;
2230         }
2231         break;
2232     default:
2233         printf("Msg: %d\n", data[0]);
2234         vnc_client_error(vs);
2235         break;
2236     }
2237 
2238     vnc_read_when(vs, protocol_client_msg, 1);
2239     return 0;
2240 }
2241 
2242 static int protocol_client_init(VncState *vs, uint8_t *data, size_t len)
2243 {
2244     char buf[1024];
2245     VncShareMode mode;
2246     int size;
2247 
2248     mode = data[0] ? VNC_SHARE_MODE_SHARED : VNC_SHARE_MODE_EXCLUSIVE;
2249     switch (vs->vd->share_policy) {
2250     case VNC_SHARE_POLICY_IGNORE:
2251         /*
2252          * Ignore the shared flag.  Nothing to do here.
2253          *
2254          * Doesn't conform to the rfb spec but is traditional qemu
2255          * behavior, thus left here as option for compatibility
2256          * reasons.
2257          */
2258         break;
2259     case VNC_SHARE_POLICY_ALLOW_EXCLUSIVE:
2260         /*
2261          * Policy: Allow clients ask for exclusive access.
2262          *
2263          * Implementation: When a client asks for exclusive access,
2264          * disconnect all others. Shared connects are allowed as long
2265          * as no exclusive connection exists.
2266          *
2267          * This is how the rfb spec suggests to handle the shared flag.
2268          */
2269         if (mode == VNC_SHARE_MODE_EXCLUSIVE) {
2270             VncState *client;
2271             QTAILQ_FOREACH(client, &vs->vd->clients, next) {
2272                 if (vs == client) {
2273                     continue;
2274                 }
2275                 if (client->share_mode != VNC_SHARE_MODE_EXCLUSIVE &&
2276                     client->share_mode != VNC_SHARE_MODE_SHARED) {
2277                     continue;
2278                 }
2279                 vnc_disconnect_start(client);
2280             }
2281         }
2282         if (mode == VNC_SHARE_MODE_SHARED) {
2283             if (vs->vd->num_exclusive > 0) {
2284                 vnc_disconnect_start(vs);
2285                 return 0;
2286             }
2287         }
2288         break;
2289     case VNC_SHARE_POLICY_FORCE_SHARED:
2290         /*
2291          * Policy: Shared connects only.
2292          * Implementation: Disallow clients asking for exclusive access.
2293          *
2294          * Useful for shared desktop sessions where you don't want
2295          * someone forgetting to say -shared when running the vnc
2296          * client disconnect everybody else.
2297          */
2298         if (mode == VNC_SHARE_MODE_EXCLUSIVE) {
2299             vnc_disconnect_start(vs);
2300             return 0;
2301         }
2302         break;
2303     }
2304     vnc_set_share_mode(vs, mode);
2305 
2306     vs->client_width = surface_width(vs->vd->ds);
2307     vs->client_height = surface_height(vs->vd->ds);
2308     vnc_write_u16(vs, vs->client_width);
2309     vnc_write_u16(vs, vs->client_height);
2310 
2311     pixel_format_message(vs);
2312 
2313     if (qemu_name)
2314         size = snprintf(buf, sizeof(buf), "QEMU (%s)", qemu_name);
2315     else
2316         size = snprintf(buf, sizeof(buf), "QEMU");
2317 
2318     vnc_write_u32(vs, size);
2319     vnc_write(vs, buf, size);
2320     vnc_flush(vs);
2321 
2322     vnc_client_cache_auth(vs);
2323     vnc_qmp_event(vs, QEVENT_VNC_INITIALIZED);
2324 
2325     vnc_read_when(vs, protocol_client_msg, 1);
2326 
2327     return 0;
2328 }
2329 
2330 void start_client_init(VncState *vs)
2331 {
2332     vnc_read_when(vs, protocol_client_init, 1);
2333 }
2334 
2335 static void make_challenge(VncState *vs)
2336 {
2337     int i;
2338 
2339     srand(time(NULL)+getpid()+getpid()*987654+rand());
2340 
2341     for (i = 0 ; i < sizeof(vs->challenge) ; i++)
2342         vs->challenge[i] = (int) (256.0*rand()/(RAND_MAX+1.0));
2343 }
2344 
2345 static int protocol_client_auth_vnc(VncState *vs, uint8_t *data, size_t len)
2346 {
2347     unsigned char response[VNC_AUTH_CHALLENGE_SIZE];
2348     int i, j, pwlen;
2349     unsigned char key[8];
2350     time_t now = time(NULL);
2351 
2352     if (!vs->vd->password) {
2353         VNC_DEBUG("No password configured on server");
2354         goto reject;
2355     }
2356     if (vs->vd->expires < now) {
2357         VNC_DEBUG("Password is expired");
2358         goto reject;
2359     }
2360 
2361     memcpy(response, vs->challenge, VNC_AUTH_CHALLENGE_SIZE);
2362 
2363     /* Calculate the expected challenge response */
2364     pwlen = strlen(vs->vd->password);
2365     for (i=0; i<sizeof(key); i++)
2366         key[i] = i<pwlen ? vs->vd->password[i] : 0;
2367     deskey(key, EN0);
2368     for (j = 0; j < VNC_AUTH_CHALLENGE_SIZE; j += 8)
2369         des(response+j, response+j);
2370 
2371     /* Compare expected vs actual challenge response */
2372     if (memcmp(response, data, VNC_AUTH_CHALLENGE_SIZE) != 0) {
2373         VNC_DEBUG("Client challenge response did not match\n");
2374         goto reject;
2375     } else {
2376         VNC_DEBUG("Accepting VNC challenge response\n");
2377         vnc_write_u32(vs, 0); /* Accept auth */
2378         vnc_flush(vs);
2379 
2380         start_client_init(vs);
2381     }
2382     return 0;
2383 
2384 reject:
2385     vnc_write_u32(vs, 1); /* Reject auth */
2386     if (vs->minor >= 8) {
2387         static const char err[] = "Authentication failed";
2388         vnc_write_u32(vs, sizeof(err));
2389         vnc_write(vs, err, sizeof(err));
2390     }
2391     vnc_flush(vs);
2392     vnc_client_error(vs);
2393     return 0;
2394 }
2395 
2396 void start_auth_vnc(VncState *vs)
2397 {
2398     make_challenge(vs);
2399     /* Send client a 'random' challenge */
2400     vnc_write(vs, vs->challenge, sizeof(vs->challenge));
2401     vnc_flush(vs);
2402 
2403     vnc_read_when(vs, protocol_client_auth_vnc, sizeof(vs->challenge));
2404 }
2405 
2406 
2407 static int protocol_client_auth(VncState *vs, uint8_t *data, size_t len)
2408 {
2409     /* We only advertise 1 auth scheme at a time, so client
2410      * must pick the one we sent. Verify this */
2411     if (data[0] != vs->auth) { /* Reject auth */
2412        VNC_DEBUG("Reject auth %d because it didn't match advertized\n", (int)data[0]);
2413        vnc_write_u32(vs, 1);
2414        if (vs->minor >= 8) {
2415            static const char err[] = "Authentication failed";
2416            vnc_write_u32(vs, sizeof(err));
2417            vnc_write(vs, err, sizeof(err));
2418        }
2419        vnc_client_error(vs);
2420     } else { /* Accept requested auth */
2421        VNC_DEBUG("Client requested auth %d\n", (int)data[0]);
2422        switch (vs->auth) {
2423        case VNC_AUTH_NONE:
2424            VNC_DEBUG("Accept auth none\n");
2425            if (vs->minor >= 8) {
2426                vnc_write_u32(vs, 0); /* Accept auth completion */
2427                vnc_flush(vs);
2428            }
2429            start_client_init(vs);
2430            break;
2431 
2432        case VNC_AUTH_VNC:
2433            VNC_DEBUG("Start VNC auth\n");
2434            start_auth_vnc(vs);
2435            break;
2436 
2437 #ifdef CONFIG_VNC_TLS
2438        case VNC_AUTH_VENCRYPT:
2439            VNC_DEBUG("Accept VeNCrypt auth\n");
2440            start_auth_vencrypt(vs);
2441            break;
2442 #endif /* CONFIG_VNC_TLS */
2443 
2444 #ifdef CONFIG_VNC_SASL
2445        case VNC_AUTH_SASL:
2446            VNC_DEBUG("Accept SASL auth\n");
2447            start_auth_sasl(vs);
2448            break;
2449 #endif /* CONFIG_VNC_SASL */
2450 
2451        default: /* Should not be possible, but just in case */
2452            VNC_DEBUG("Reject auth %d server code bug\n", vs->auth);
2453            vnc_write_u8(vs, 1);
2454            if (vs->minor >= 8) {
2455                static const char err[] = "Authentication failed";
2456                vnc_write_u32(vs, sizeof(err));
2457                vnc_write(vs, err, sizeof(err));
2458            }
2459            vnc_client_error(vs);
2460        }
2461     }
2462     return 0;
2463 }
2464 
2465 static int protocol_version(VncState *vs, uint8_t *version, size_t len)
2466 {
2467     char local[13];
2468 
2469     memcpy(local, version, 12);
2470     local[12] = 0;
2471 
2472     if (sscanf(local, "RFB %03d.%03d\n", &vs->major, &vs->minor) != 2) {
2473         VNC_DEBUG("Malformed protocol version %s\n", local);
2474         vnc_client_error(vs);
2475         return 0;
2476     }
2477     VNC_DEBUG("Client request protocol version %d.%d\n", vs->major, vs->minor);
2478     if (vs->major != 3 ||
2479         (vs->minor != 3 &&
2480          vs->minor != 4 &&
2481          vs->minor != 5 &&
2482          vs->minor != 7 &&
2483          vs->minor != 8)) {
2484         VNC_DEBUG("Unsupported client version\n");
2485         vnc_write_u32(vs, VNC_AUTH_INVALID);
2486         vnc_flush(vs);
2487         vnc_client_error(vs);
2488         return 0;
2489     }
2490     /* Some broken clients report v3.4 or v3.5, which spec requires to be treated
2491      * as equivalent to v3.3 by servers
2492      */
2493     if (vs->minor == 4 || vs->minor == 5)
2494         vs->minor = 3;
2495 
2496     if (vs->minor == 3) {
2497         if (vs->auth == VNC_AUTH_NONE) {
2498             VNC_DEBUG("Tell client auth none\n");
2499             vnc_write_u32(vs, vs->auth);
2500             vnc_flush(vs);
2501             start_client_init(vs);
2502        } else if (vs->auth == VNC_AUTH_VNC) {
2503             VNC_DEBUG("Tell client VNC auth\n");
2504             vnc_write_u32(vs, vs->auth);
2505             vnc_flush(vs);
2506             start_auth_vnc(vs);
2507        } else {
2508             VNC_DEBUG("Unsupported auth %d for protocol 3.3\n", vs->auth);
2509             vnc_write_u32(vs, VNC_AUTH_INVALID);
2510             vnc_flush(vs);
2511             vnc_client_error(vs);
2512        }
2513     } else {
2514         VNC_DEBUG("Telling client we support auth %d\n", vs->auth);
2515         vnc_write_u8(vs, 1); /* num auth */
2516         vnc_write_u8(vs, vs->auth);
2517         vnc_read_when(vs, protocol_client_auth, 1);
2518         vnc_flush(vs);
2519     }
2520 
2521     return 0;
2522 }
2523 
2524 static VncRectStat *vnc_stat_rect(VncDisplay *vd, int x, int y)
2525 {
2526     struct VncSurface *vs = &vd->guest;
2527 
2528     return &vs->stats[y / VNC_STAT_RECT][x / VNC_STAT_RECT];
2529 }
2530 
2531 void vnc_sent_lossy_rect(VncState *vs, int x, int y, int w, int h)
2532 {
2533     int i, j;
2534 
2535     w = (x + w) / VNC_STAT_RECT;
2536     h = (y + h) / VNC_STAT_RECT;
2537     x /= VNC_STAT_RECT;
2538     y /= VNC_STAT_RECT;
2539 
2540     for (j = y; j <= h; j++) {
2541         for (i = x; i <= w; i++) {
2542             vs->lossy_rect[j][i] = 1;
2543         }
2544     }
2545 }
2546 
2547 static int vnc_refresh_lossy_rect(VncDisplay *vd, int x, int y)
2548 {
2549     VncState *vs;
2550     int sty = y / VNC_STAT_RECT;
2551     int stx = x / VNC_STAT_RECT;
2552     int has_dirty = 0;
2553 
2554     y = y / VNC_STAT_RECT * VNC_STAT_RECT;
2555     x = x / VNC_STAT_RECT * VNC_STAT_RECT;
2556 
2557     QTAILQ_FOREACH(vs, &vd->clients, next) {
2558         int j;
2559 
2560         /* kernel send buffers are full -> refresh later */
2561         if (vs->output.offset) {
2562             continue;
2563         }
2564 
2565         if (!vs->lossy_rect[sty][stx]) {
2566             continue;
2567         }
2568 
2569         vs->lossy_rect[sty][stx] = 0;
2570         for (j = 0; j < VNC_STAT_RECT; ++j) {
2571             bitmap_set(vs->dirty[y + j],
2572                        x / VNC_DIRTY_PIXELS_PER_BIT,
2573                        VNC_STAT_RECT / VNC_DIRTY_PIXELS_PER_BIT);
2574         }
2575         has_dirty++;
2576     }
2577 
2578     return has_dirty;
2579 }
2580 
2581 static int vnc_update_stats(VncDisplay *vd,  struct timeval * tv)
2582 {
2583     int width = pixman_image_get_width(vd->guest.fb);
2584     int height = pixman_image_get_height(vd->guest.fb);
2585     int x, y;
2586     struct timeval res;
2587     int has_dirty = 0;
2588 
2589     for (y = 0; y < height; y += VNC_STAT_RECT) {
2590         for (x = 0; x < width; x += VNC_STAT_RECT) {
2591             VncRectStat *rect = vnc_stat_rect(vd, x, y);
2592 
2593             rect->updated = false;
2594         }
2595     }
2596 
2597     qemu_timersub(tv, &VNC_REFRESH_STATS, &res);
2598 
2599     if (timercmp(&vd->guest.last_freq_check, &res, >)) {
2600         return has_dirty;
2601     }
2602     vd->guest.last_freq_check = *tv;
2603 
2604     for (y = 0; y < height; y += VNC_STAT_RECT) {
2605         for (x = 0; x < width; x += VNC_STAT_RECT) {
2606             VncRectStat *rect= vnc_stat_rect(vd, x, y);
2607             int count = ARRAY_SIZE(rect->times);
2608             struct timeval min, max;
2609 
2610             if (!timerisset(&rect->times[count - 1])) {
2611                 continue ;
2612             }
2613 
2614             max = rect->times[(rect->idx + count - 1) % count];
2615             qemu_timersub(tv, &max, &res);
2616 
2617             if (timercmp(&res, &VNC_REFRESH_LOSSY, >)) {
2618                 rect->freq = 0;
2619                 has_dirty += vnc_refresh_lossy_rect(vd, x, y);
2620                 memset(rect->times, 0, sizeof (rect->times));
2621                 continue ;
2622             }
2623 
2624             min = rect->times[rect->idx];
2625             max = rect->times[(rect->idx + count - 1) % count];
2626             qemu_timersub(&max, &min, &res);
2627 
2628             rect->freq = res.tv_sec + res.tv_usec / 1000000.;
2629             rect->freq /= count;
2630             rect->freq = 1. / rect->freq;
2631         }
2632     }
2633     return has_dirty;
2634 }
2635 
2636 double vnc_update_freq(VncState *vs, int x, int y, int w, int h)
2637 {
2638     int i, j;
2639     double total = 0;
2640     int num = 0;
2641 
2642     x =  (x / VNC_STAT_RECT) * VNC_STAT_RECT;
2643     y =  (y / VNC_STAT_RECT) * VNC_STAT_RECT;
2644 
2645     for (j = y; j <= y + h; j += VNC_STAT_RECT) {
2646         for (i = x; i <= x + w; i += VNC_STAT_RECT) {
2647             total += vnc_stat_rect(vs->vd, i, j)->freq;
2648             num++;
2649         }
2650     }
2651 
2652     if (num) {
2653         return total / num;
2654     } else {
2655         return 0;
2656     }
2657 }
2658 
2659 static void vnc_rect_updated(VncDisplay *vd, int x, int y, struct timeval * tv)
2660 {
2661     VncRectStat *rect;
2662 
2663     rect = vnc_stat_rect(vd, x, y);
2664     if (rect->updated) {
2665         return ;
2666     }
2667     rect->times[rect->idx] = *tv;
2668     rect->idx = (rect->idx + 1) % ARRAY_SIZE(rect->times);
2669     rect->updated = true;
2670 }
2671 
2672 static int vnc_refresh_server_surface(VncDisplay *vd)
2673 {
2674     int width = pixman_image_get_width(vd->guest.fb);
2675     int height = pixman_image_get_height(vd->guest.fb);
2676     int y;
2677     uint8_t *guest_row0 = NULL, *server_row0;
2678     int guest_stride = 0, server_stride;
2679     int cmp_bytes;
2680     VncState *vs;
2681     int has_dirty = 0;
2682     pixman_image_t *tmpbuf = NULL;
2683 
2684     struct timeval tv = { 0, 0 };
2685 
2686     if (!vd->non_adaptive) {
2687         gettimeofday(&tv, NULL);
2688         has_dirty = vnc_update_stats(vd, &tv);
2689     }
2690 
2691     /*
2692      * Walk through the guest dirty map.
2693      * Check and copy modified bits from guest to server surface.
2694      * Update server dirty map.
2695      */
2696     cmp_bytes = VNC_DIRTY_PIXELS_PER_BIT * VNC_SERVER_FB_BYTES;
2697     if (cmp_bytes > vnc_server_fb_stride(vd)) {
2698         cmp_bytes = vnc_server_fb_stride(vd);
2699     }
2700     if (vd->guest.format != VNC_SERVER_FB_FORMAT) {
2701         int width = pixman_image_get_width(vd->server);
2702         tmpbuf = qemu_pixman_linebuf_create(VNC_SERVER_FB_FORMAT, width);
2703     } else {
2704         guest_row0 = (uint8_t *)pixman_image_get_data(vd->guest.fb);
2705         guest_stride = pixman_image_get_stride(vd->guest.fb);
2706     }
2707     server_row0 = (uint8_t *)pixman_image_get_data(vd->server);
2708     server_stride = pixman_image_get_stride(vd->server);
2709 
2710     y = 0;
2711     for (;;) {
2712         int x;
2713         uint8_t *guest_ptr, *server_ptr;
2714         unsigned long offset = find_next_bit((unsigned long *) &vd->guest.dirty,
2715                                              height * VNC_DIRTY_BPL(&vd->guest),
2716                                              y * VNC_DIRTY_BPL(&vd->guest));
2717         if (offset == height * VNC_DIRTY_BPL(&vd->guest)) {
2718             /* no more dirty bits */
2719             break;
2720         }
2721         y = offset / VNC_DIRTY_BPL(&vd->guest);
2722         x = offset % VNC_DIRTY_BPL(&vd->guest);
2723 
2724         server_ptr = server_row0 + y * server_stride + x * cmp_bytes;
2725 
2726         if (vd->guest.format != VNC_SERVER_FB_FORMAT) {
2727             qemu_pixman_linebuf_fill(tmpbuf, vd->guest.fb, width, 0, y);
2728             guest_ptr = (uint8_t *)pixman_image_get_data(tmpbuf);
2729         } else {
2730             guest_ptr = guest_row0 + y * guest_stride;
2731         }
2732         guest_ptr += x * cmp_bytes;
2733 
2734         for (; x < DIV_ROUND_UP(width, VNC_DIRTY_PIXELS_PER_BIT);
2735              x++, guest_ptr += cmp_bytes, server_ptr += cmp_bytes) {
2736             if (!test_and_clear_bit(x, vd->guest.dirty[y])) {
2737                 continue;
2738             }
2739             if (memcmp(server_ptr, guest_ptr, cmp_bytes) == 0) {
2740                 continue;
2741             }
2742             memcpy(server_ptr, guest_ptr, cmp_bytes);
2743             if (!vd->non_adaptive) {
2744                 vnc_rect_updated(vd, x * VNC_DIRTY_PIXELS_PER_BIT,
2745                                  y, &tv);
2746             }
2747             QTAILQ_FOREACH(vs, &vd->clients, next) {
2748                 set_bit(x, vs->dirty[y]);
2749             }
2750             has_dirty++;
2751         }
2752 
2753         y++;
2754     }
2755     qemu_pixman_image_unref(tmpbuf);
2756     return has_dirty;
2757 }
2758 
2759 static void vnc_refresh(DisplayChangeListener *dcl)
2760 {
2761     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
2762     VncState *vs, *vn;
2763     int has_dirty, rects = 0;
2764 
2765     graphic_hw_update(NULL);
2766 
2767     if (vnc_trylock_display(vd)) {
2768         update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
2769         return;
2770     }
2771 
2772     has_dirty = vnc_refresh_server_surface(vd);
2773     vnc_unlock_display(vd);
2774 
2775     QTAILQ_FOREACH_SAFE(vs, &vd->clients, next, vn) {
2776         rects += vnc_update_client(vs, has_dirty, false);
2777         /* vs might be free()ed here */
2778     }
2779 
2780     if (QTAILQ_EMPTY(&vd->clients)) {
2781         update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_MAX);
2782         return;
2783     }
2784 
2785     if (has_dirty && rects) {
2786         vd->dcl.update_interval /= 2;
2787         if (vd->dcl.update_interval < VNC_REFRESH_INTERVAL_BASE) {
2788             vd->dcl.update_interval = VNC_REFRESH_INTERVAL_BASE;
2789         }
2790     } else {
2791         vd->dcl.update_interval += VNC_REFRESH_INTERVAL_INC;
2792         if (vd->dcl.update_interval > VNC_REFRESH_INTERVAL_MAX) {
2793             vd->dcl.update_interval = VNC_REFRESH_INTERVAL_MAX;
2794         }
2795     }
2796 }
2797 
2798 static void vnc_connect(VncDisplay *vd, int csock,
2799                         bool skipauth, bool websocket)
2800 {
2801     VncState *vs = g_malloc0(sizeof(VncState));
2802     int i;
2803 
2804     vs->csock = csock;
2805 
2806     if (skipauth) {
2807 	vs->auth = VNC_AUTH_NONE;
2808 #ifdef CONFIG_VNC_TLS
2809 	vs->subauth = VNC_AUTH_INVALID;
2810 #endif
2811     } else {
2812 	vs->auth = vd->auth;
2813 #ifdef CONFIG_VNC_TLS
2814 	vs->subauth = vd->subauth;
2815 #endif
2816     }
2817 
2818     vs->lossy_rect = g_malloc0(VNC_STAT_ROWS * sizeof (*vs->lossy_rect));
2819     for (i = 0; i < VNC_STAT_ROWS; ++i) {
2820         vs->lossy_rect[i] = g_malloc0(VNC_STAT_COLS * sizeof (uint8_t));
2821     }
2822 
2823     VNC_DEBUG("New client on socket %d\n", csock);
2824     update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
2825     qemu_set_nonblock(vs->csock);
2826 #ifdef CONFIG_VNC_WS
2827     if (websocket) {
2828         vs->websocket = 1;
2829 #ifdef CONFIG_VNC_TLS
2830         if (vd->tls.x509cert) {
2831             qemu_set_fd_handler2(vs->csock, NULL, vncws_tls_handshake_peek,
2832                                  NULL, vs);
2833         } else
2834 #endif /* CONFIG_VNC_TLS */
2835         {
2836             qemu_set_fd_handler2(vs->csock, NULL, vncws_handshake_read,
2837                                  NULL, vs);
2838         }
2839     } else
2840 #endif /* CONFIG_VNC_WS */
2841     {
2842         qemu_set_fd_handler2(vs->csock, NULL, vnc_client_read, NULL, vs);
2843     }
2844 
2845     vnc_client_cache_addr(vs);
2846     vnc_qmp_event(vs, QEVENT_VNC_CONNECTED);
2847     vnc_set_share_mode(vs, VNC_SHARE_MODE_CONNECTING);
2848 
2849     vs->vd = vd;
2850 
2851 #ifdef CONFIG_VNC_WS
2852     if (!vs->websocket)
2853 #endif
2854     {
2855         vnc_init_state(vs);
2856     }
2857 }
2858 
2859 void vnc_init_state(VncState *vs)
2860 {
2861     vs->initialized = true;
2862     VncDisplay *vd = vs->vd;
2863 
2864     vs->last_x = -1;
2865     vs->last_y = -1;
2866 
2867     vs->as.freq = 44100;
2868     vs->as.nchannels = 2;
2869     vs->as.fmt = AUD_FMT_S16;
2870     vs->as.endianness = 0;
2871 
2872     qemu_mutex_init(&vs->output_mutex);
2873     vs->bh = qemu_bh_new(vnc_jobs_bh, vs);
2874 
2875     QTAILQ_INSERT_HEAD(&vd->clients, vs, next);
2876 
2877     graphic_hw_update(NULL);
2878 
2879     vnc_write(vs, "RFB 003.008\n", 12);
2880     vnc_flush(vs);
2881     vnc_read_when(vs, protocol_version, 12);
2882     reset_keys(vs);
2883     if (vs->vd->lock_key_sync)
2884         vs->led = qemu_add_led_event_handler(kbd_leds, vs);
2885 
2886     vs->mouse_mode_notifier.notify = check_pointer_type_change;
2887     qemu_add_mouse_mode_change_notifier(&vs->mouse_mode_notifier);
2888 
2889     /* vs might be free()ed here */
2890 }
2891 
2892 static void vnc_listen_read(void *opaque, bool websocket)
2893 {
2894     VncDisplay *vs = opaque;
2895     struct sockaddr_in addr;
2896     socklen_t addrlen = sizeof(addr);
2897     int csock;
2898 
2899     /* Catch-up */
2900     graphic_hw_update(NULL);
2901 #ifdef CONFIG_VNC_WS
2902     if (websocket) {
2903         csock = qemu_accept(vs->lwebsock, (struct sockaddr *)&addr, &addrlen);
2904     } else
2905 #endif /* CONFIG_VNC_WS */
2906     {
2907         csock = qemu_accept(vs->lsock, (struct sockaddr *)&addr, &addrlen);
2908     }
2909 
2910     if (csock != -1) {
2911         vnc_connect(vs, csock, false, websocket);
2912     }
2913 }
2914 
2915 static void vnc_listen_regular_read(void *opaque)
2916 {
2917     vnc_listen_read(opaque, false);
2918 }
2919 
2920 #ifdef CONFIG_VNC_WS
2921 static void vnc_listen_websocket_read(void *opaque)
2922 {
2923     vnc_listen_read(opaque, true);
2924 }
2925 #endif /* CONFIG_VNC_WS */
2926 
2927 static const DisplayChangeListenerOps dcl_ops = {
2928     .dpy_name          = "vnc",
2929     .dpy_refresh       = vnc_refresh,
2930     .dpy_gfx_copy      = vnc_dpy_copy,
2931     .dpy_gfx_update    = vnc_dpy_update,
2932     .dpy_gfx_switch    = vnc_dpy_switch,
2933     .dpy_mouse_set     = vnc_mouse_set,
2934     .dpy_cursor_define = vnc_dpy_cursor_define,
2935 };
2936 
2937 void vnc_display_init(DisplayState *ds)
2938 {
2939     VncDisplay *vs = g_malloc0(sizeof(*vs));
2940 
2941     vnc_display = vs;
2942 
2943     vs->lsock = -1;
2944 #ifdef CONFIG_VNC_WS
2945     vs->lwebsock = -1;
2946 #endif
2947 
2948     QTAILQ_INIT(&vs->clients);
2949     vs->expires = TIME_MAX;
2950 
2951     if (keyboard_layout) {
2952         trace_vnc_key_map_init(keyboard_layout);
2953         vs->kbd_layout = init_keyboard_layout(name2keysym, keyboard_layout);
2954     } else {
2955         vs->kbd_layout = init_keyboard_layout(name2keysym, "en-us");
2956     }
2957 
2958     if (!vs->kbd_layout)
2959         exit(1);
2960 
2961     qemu_mutex_init(&vs->mutex);
2962     vnc_start_worker_thread();
2963 
2964     vs->dcl.ops = &dcl_ops;
2965     register_displaychangelistener(&vs->dcl);
2966 }
2967 
2968 
2969 static void vnc_display_close(DisplayState *ds)
2970 {
2971     VncDisplay *vs = vnc_display;
2972 
2973     if (!vs)
2974         return;
2975     if (vs->display) {
2976         g_free(vs->display);
2977         vs->display = NULL;
2978     }
2979     if (vs->lsock != -1) {
2980         qemu_set_fd_handler2(vs->lsock, NULL, NULL, NULL, NULL);
2981         close(vs->lsock);
2982         vs->lsock = -1;
2983     }
2984 #ifdef CONFIG_VNC_WS
2985     g_free(vs->ws_display);
2986     vs->ws_display = NULL;
2987     if (vs->lwebsock != -1) {
2988         qemu_set_fd_handler2(vs->lwebsock, NULL, NULL, NULL, NULL);
2989         close(vs->lwebsock);
2990         vs->lwebsock = -1;
2991     }
2992 #endif /* CONFIG_VNC_WS */
2993     vs->auth = VNC_AUTH_INVALID;
2994 #ifdef CONFIG_VNC_TLS
2995     vs->subauth = VNC_AUTH_INVALID;
2996     vs->tls.x509verify = 0;
2997 #endif
2998 }
2999 
3000 int vnc_display_password(DisplayState *ds, const char *password)
3001 {
3002     VncDisplay *vs = vnc_display;
3003 
3004     if (!vs) {
3005         return -EINVAL;
3006     }
3007     if (vs->auth == VNC_AUTH_NONE) {
3008         error_printf_unless_qmp("If you want use passwords please enable "
3009                                 "password auth using '-vnc ${dpy},password'.");
3010         return -EINVAL;
3011     }
3012 
3013     if (vs->password) {
3014         g_free(vs->password);
3015         vs->password = NULL;
3016     }
3017     if (password) {
3018         vs->password = g_strdup(password);
3019     }
3020 
3021     return 0;
3022 }
3023 
3024 int vnc_display_pw_expire(DisplayState *ds, time_t expires)
3025 {
3026     VncDisplay *vs = vnc_display;
3027 
3028     if (!vs) {
3029         return -EINVAL;
3030     }
3031 
3032     vs->expires = expires;
3033     return 0;
3034 }
3035 
3036 char *vnc_display_local_addr(DisplayState *ds)
3037 {
3038     VncDisplay *vs = vnc_display;
3039 
3040     return vnc_socket_local_addr("%s:%s", vs->lsock);
3041 }
3042 
3043 void vnc_display_open(DisplayState *ds, const char *display, Error **errp)
3044 {
3045     VncDisplay *vs = vnc_display;
3046     const char *options;
3047     int password = 0;
3048     int reverse = 0;
3049 #ifdef CONFIG_VNC_TLS
3050     int tls = 0, x509 = 0;
3051 #endif
3052 #ifdef CONFIG_VNC_SASL
3053     int sasl = 0;
3054     int saslErr;
3055 #endif
3056 #if defined(CONFIG_VNC_TLS) || defined(CONFIG_VNC_SASL)
3057     int acl = 0;
3058 #endif
3059     int lock_key_sync = 1;
3060 
3061     if (!vnc_display) {
3062         error_setg(errp, "VNC display not active");
3063         return;
3064     }
3065     vnc_display_close(ds);
3066     if (strcmp(display, "none") == 0)
3067         return;
3068 
3069     vs->display = g_strdup(display);
3070     vs->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
3071 
3072     options = display;
3073     while ((options = strchr(options, ','))) {
3074         options++;
3075         if (strncmp(options, "password", 8) == 0) {
3076             if (fips_get_state()) {
3077                 error_setg(errp,
3078                            "VNC password auth disabled due to FIPS mode, "
3079                            "consider using the VeNCrypt or SASL authentication "
3080                            "methods as an alternative");
3081                 goto fail;
3082             }
3083             password = 1; /* Require password auth */
3084         } else if (strncmp(options, "reverse", 7) == 0) {
3085             reverse = 1;
3086         } else if (strncmp(options, "no-lock-key-sync", 16) == 0) {
3087             lock_key_sync = 0;
3088 #ifdef CONFIG_VNC_SASL
3089         } else if (strncmp(options, "sasl", 4) == 0) {
3090             sasl = 1; /* Require SASL auth */
3091 #endif
3092 #ifdef CONFIG_VNC_WS
3093         } else if (strncmp(options, "websocket", 9) == 0) {
3094             char *start, *end;
3095             vs->websocket = 1;
3096 
3097             /* Check for 'websocket=<port>' */
3098             start = strchr(options, '=');
3099             end = strchr(options, ',');
3100             if (start && (!end || (start < end))) {
3101                 int len = end ? end-(start+1) : strlen(start+1);
3102                 if (len < 6) {
3103                     /* extract the host specification from display */
3104                     char  *host = NULL, *port = NULL, *host_end = NULL;
3105                     port = g_strndup(start + 1, len);
3106 
3107                     /* ipv6 hosts have colons */
3108                     end = strchr(display, ',');
3109                     host_end = g_strrstr_len(display, end - display, ":");
3110 
3111                     if (host_end) {
3112                         host = g_strndup(display, host_end - display + 1);
3113                     } else {
3114                         host = g_strndup(":", 1);
3115                     }
3116                     vs->ws_display = g_strconcat(host, port, NULL);
3117                     g_free(host);
3118                     g_free(port);
3119                 }
3120             }
3121 #endif /* CONFIG_VNC_WS */
3122 #ifdef CONFIG_VNC_TLS
3123         } else if (strncmp(options, "tls", 3) == 0) {
3124             tls = 1; /* Require TLS */
3125         } else if (strncmp(options, "x509", 4) == 0) {
3126             char *start, *end;
3127             x509 = 1; /* Require x509 certificates */
3128             if (strncmp(options, "x509verify", 10) == 0)
3129                 vs->tls.x509verify = 1; /* ...and verify client certs */
3130 
3131             /* Now check for 'x509=/some/path' postfix
3132              * and use that to setup x509 certificate/key paths */
3133             start = strchr(options, '=');
3134             end = strchr(options, ',');
3135             if (start && (!end || (start < end))) {
3136                 int len = end ? end-(start+1) : strlen(start+1);
3137                 char *path = g_strndup(start + 1, len);
3138 
3139                 VNC_DEBUG("Trying certificate path '%s'\n", path);
3140                 if (vnc_tls_set_x509_creds_dir(vs, path) < 0) {
3141                     error_setg(errp, "Failed to find x509 certificates/keys in %s", path);
3142                     g_free(path);
3143                     goto fail;
3144                 }
3145                 g_free(path);
3146             } else {
3147                 error_setg(errp, "No certificate path provided");
3148                 goto fail;
3149             }
3150 #endif
3151 #if defined(CONFIG_VNC_TLS) || defined(CONFIG_VNC_SASL)
3152         } else if (strncmp(options, "acl", 3) == 0) {
3153             acl = 1;
3154 #endif
3155         } else if (strncmp(options, "lossy", 5) == 0) {
3156 #ifdef CONFIG_VNC_JPEG
3157             vs->lossy = true;
3158 #endif
3159         } else if (strncmp(options, "non-adaptive", 12) == 0) {
3160             vs->non_adaptive = true;
3161         } else if (strncmp(options, "share=", 6) == 0) {
3162             if (strncmp(options+6, "ignore", 6) == 0) {
3163                 vs->share_policy = VNC_SHARE_POLICY_IGNORE;
3164             } else if (strncmp(options+6, "allow-exclusive", 15) == 0) {
3165                 vs->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
3166             } else if (strncmp(options+6, "force-shared", 12) == 0) {
3167                 vs->share_policy = VNC_SHARE_POLICY_FORCE_SHARED;
3168             } else {
3169                 error_setg(errp, "unknown vnc share= option");
3170                 goto fail;
3171             }
3172         }
3173     }
3174 
3175     /* adaptive updates are only used with tight encoding and
3176      * if lossy updates are enabled so we can disable all the
3177      * calculations otherwise */
3178     if (!vs->lossy) {
3179         vs->non_adaptive = true;
3180     }
3181 
3182 #ifdef CONFIG_VNC_TLS
3183     if (acl && x509 && vs->tls.x509verify) {
3184         if (!(vs->tls.acl = qemu_acl_init("vnc.x509dname"))) {
3185             fprintf(stderr, "Failed to create x509 dname ACL\n");
3186             exit(1);
3187         }
3188     }
3189 #endif
3190 #ifdef CONFIG_VNC_SASL
3191     if (acl && sasl) {
3192         if (!(vs->sasl.acl = qemu_acl_init("vnc.username"))) {
3193             fprintf(stderr, "Failed to create username ACL\n");
3194             exit(1);
3195         }
3196     }
3197 #endif
3198 
3199     /*
3200      * Combinations we support here:
3201      *
3202      *  - no-auth                (clear text, no auth)
3203      *  - password               (clear text, weak auth)
3204      *  - sasl                   (encrypt, good auth *IF* using Kerberos via GSSAPI)
3205      *  - tls                    (encrypt, weak anonymous creds, no auth)
3206      *  - tls + password         (encrypt, weak anonymous creds, weak auth)
3207      *  - tls + sasl             (encrypt, weak anonymous creds, good auth)
3208      *  - tls + x509             (encrypt, good x509 creds, no auth)
3209      *  - tls + x509 + password  (encrypt, good x509 creds, weak auth)
3210      *  - tls + x509 + sasl      (encrypt, good x509 creds, good auth)
3211      *
3212      * NB1. TLS is a stackable auth scheme.
3213      * NB2. the x509 schemes have option to validate a client cert dname
3214      */
3215     if (password) {
3216 #ifdef CONFIG_VNC_TLS
3217         if (tls) {
3218             vs->auth = VNC_AUTH_VENCRYPT;
3219             if (x509) {
3220                 VNC_DEBUG("Initializing VNC server with x509 password auth\n");
3221                 vs->subauth = VNC_AUTH_VENCRYPT_X509VNC;
3222             } else {
3223                 VNC_DEBUG("Initializing VNC server with TLS password auth\n");
3224                 vs->subauth = VNC_AUTH_VENCRYPT_TLSVNC;
3225             }
3226         } else {
3227 #endif /* CONFIG_VNC_TLS */
3228             VNC_DEBUG("Initializing VNC server with password auth\n");
3229             vs->auth = VNC_AUTH_VNC;
3230 #ifdef CONFIG_VNC_TLS
3231             vs->subauth = VNC_AUTH_INVALID;
3232         }
3233 #endif /* CONFIG_VNC_TLS */
3234 #ifdef CONFIG_VNC_SASL
3235     } else if (sasl) {
3236 #ifdef CONFIG_VNC_TLS
3237         if (tls) {
3238             vs->auth = VNC_AUTH_VENCRYPT;
3239             if (x509) {
3240                 VNC_DEBUG("Initializing VNC server with x509 SASL auth\n");
3241                 vs->subauth = VNC_AUTH_VENCRYPT_X509SASL;
3242             } else {
3243                 VNC_DEBUG("Initializing VNC server with TLS SASL auth\n");
3244                 vs->subauth = VNC_AUTH_VENCRYPT_TLSSASL;
3245             }
3246         } else {
3247 #endif /* CONFIG_VNC_TLS */
3248             VNC_DEBUG("Initializing VNC server with SASL auth\n");
3249             vs->auth = VNC_AUTH_SASL;
3250 #ifdef CONFIG_VNC_TLS
3251             vs->subauth = VNC_AUTH_INVALID;
3252         }
3253 #endif /* CONFIG_VNC_TLS */
3254 #endif /* CONFIG_VNC_SASL */
3255     } else {
3256 #ifdef CONFIG_VNC_TLS
3257         if (tls) {
3258             vs->auth = VNC_AUTH_VENCRYPT;
3259             if (x509) {
3260                 VNC_DEBUG("Initializing VNC server with x509 no auth\n");
3261                 vs->subauth = VNC_AUTH_VENCRYPT_X509NONE;
3262             } else {
3263                 VNC_DEBUG("Initializing VNC server with TLS no auth\n");
3264                 vs->subauth = VNC_AUTH_VENCRYPT_TLSNONE;
3265             }
3266         } else {
3267 #endif
3268             VNC_DEBUG("Initializing VNC server with no auth\n");
3269             vs->auth = VNC_AUTH_NONE;
3270 #ifdef CONFIG_VNC_TLS
3271             vs->subauth = VNC_AUTH_INVALID;
3272         }
3273 #endif
3274     }
3275 
3276 #ifdef CONFIG_VNC_SASL
3277     if ((saslErr = sasl_server_init(NULL, "qemu")) != SASL_OK) {
3278         error_setg(errp, "Failed to initialize SASL auth: %s",
3279                    sasl_errstring(saslErr, NULL, NULL));
3280         goto fail;
3281     }
3282 #endif
3283     vs->lock_key_sync = lock_key_sync;
3284 
3285     if (reverse) {
3286         /* connect to viewer */
3287         int csock;
3288         vs->lsock = -1;
3289 #ifdef CONFIG_VNC_WS
3290         vs->lwebsock = -1;
3291 #endif
3292         if (strncmp(display, "unix:", 5) == 0) {
3293             csock = unix_connect(display+5, errp);
3294         } else {
3295             csock = inet_connect(display, errp);
3296         }
3297         if (csock < 0) {
3298             goto fail;
3299         }
3300         vnc_connect(vs, csock, false, false);
3301     } else {
3302         /* listen for connects */
3303         char *dpy;
3304         dpy = g_malloc(256);
3305         if (strncmp(display, "unix:", 5) == 0) {
3306             pstrcpy(dpy, 256, "unix:");
3307             vs->lsock = unix_listen(display+5, dpy+5, 256-5, errp);
3308         } else {
3309             vs->lsock = inet_listen(display, dpy, 256,
3310                                     SOCK_STREAM, 5900, errp);
3311             if (vs->lsock < 0) {
3312                 g_free(dpy);
3313                 goto fail;
3314             }
3315 #ifdef CONFIG_VNC_WS
3316             if (vs->websocket) {
3317                 if (vs->ws_display) {
3318                     vs->lwebsock = inet_listen(vs->ws_display, NULL, 256,
3319                         SOCK_STREAM, 0, errp);
3320                 } else {
3321                     vs->lwebsock = inet_listen(vs->display, NULL, 256,
3322                         SOCK_STREAM, 5700, errp);
3323                 }
3324 
3325                 if (vs->lwebsock < 0) {
3326                     if (vs->lsock) {
3327                         close(vs->lsock);
3328                         vs->lsock = -1;
3329                     }
3330                     g_free(dpy);
3331                     goto fail;
3332                 }
3333             }
3334 #endif /* CONFIG_VNC_WS */
3335         }
3336         g_free(vs->display);
3337         vs->display = dpy;
3338         qemu_set_fd_handler2(vs->lsock, NULL,
3339                 vnc_listen_regular_read, NULL, vs);
3340 #ifdef CONFIG_VNC_WS
3341         if (vs->websocket) {
3342             qemu_set_fd_handler2(vs->lwebsock, NULL,
3343                     vnc_listen_websocket_read, NULL, vs);
3344         }
3345 #endif /* CONFIG_VNC_WS */
3346     }
3347     return;
3348 
3349 fail:
3350     g_free(vs->display);
3351     vs->display = NULL;
3352 #ifdef CONFIG_VNC_WS
3353     g_free(vs->ws_display);
3354     vs->ws_display = NULL;
3355 #endif /* CONFIG_VNC_WS */
3356 }
3357 
3358 void vnc_display_add_client(DisplayState *ds, int csock, bool skipauth)
3359 {
3360     VncDisplay *vs = vnc_display;
3361 
3362     vnc_connect(vs, csock, skipauth, false);
3363 }
3364