xref: /openbmc/qemu/ui/vnc.c (revision cbc94d97)
1  /*
2   * QEMU VNC display driver
3   *
4   * Copyright (C) 2006 Anthony Liguori <anthony@codemonkey.ws>
5   * Copyright (C) 2006 Fabrice Bellard
6   * Copyright (C) 2009 Red Hat, Inc
7   *
8   * Permission is hereby granted, free of charge, to any person obtaining a copy
9   * of this software and associated documentation files (the "Software"), to deal
10   * in the Software without restriction, including without limitation the rights
11   * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
12   * copies of the Software, and to permit persons to whom the Software is
13   * furnished to do so, subject to the following conditions:
14   *
15   * The above copyright notice and this permission notice shall be included in
16   * all copies or substantial portions of the Software.
17   *
18   * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
19   * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
20   * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
21   * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
22   * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
23   * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
24   * THE SOFTWARE.
25   */
26  
27  #include "qemu/osdep.h"
28  #include "qemu-common.h"
29  #include "vnc.h"
30  #include "vnc-jobs.h"
31  #include "trace.h"
32  #include "hw/qdev-core.h"
33  #include "sysemu/sysemu.h"
34  #include "sysemu/runstate.h"
35  #include "qemu/error-report.h"
36  #include "qemu/main-loop.h"
37  #include "qemu/module.h"
38  #include "qemu/option.h"
39  #include "qemu/sockets.h"
40  #include "qemu/timer.h"
41  #include "authz/list.h"
42  #include "qemu/config-file.h"
43  #include "qapi/qapi-emit-events.h"
44  #include "qapi/qapi-events-ui.h"
45  #include "qapi/error.h"
46  #include "qapi/qapi-commands-ui.h"
47  #include "ui/input.h"
48  #include "crypto/hash.h"
49  #include "crypto/tlscreds.h"
50  #include "crypto/tlscredsanon.h"
51  #include "crypto/tlscredsx509.h"
52  #include "crypto/random.h"
53  #include "crypto/secret_common.h"
54  #include "qom/object_interfaces.h"
55  #include "qemu/cutils.h"
56  #include "qemu/help_option.h"
57  #include "io/dns-resolver.h"
58  
59  #define VNC_REFRESH_INTERVAL_BASE GUI_REFRESH_INTERVAL_DEFAULT
60  #define VNC_REFRESH_INTERVAL_INC  50
61  #define VNC_REFRESH_INTERVAL_MAX  GUI_REFRESH_INTERVAL_IDLE
62  static const struct timeval VNC_REFRESH_STATS = { 0, 500000 };
63  static const struct timeval VNC_REFRESH_LOSSY = { 2, 0 };
64  
65  #include "vnc_keysym.h"
66  #include "crypto/cipher.h"
67  
68  static QTAILQ_HEAD(, VncDisplay) vnc_displays =
69      QTAILQ_HEAD_INITIALIZER(vnc_displays);
70  
71  static int vnc_cursor_define(VncState *vs);
72  static void vnc_update_throttle_offset(VncState *vs);
73  
74  static void vnc_set_share_mode(VncState *vs, VncShareMode mode)
75  {
76  #ifdef _VNC_DEBUG
77      static const char *mn[] = {
78          [0]                           = "undefined",
79          [VNC_SHARE_MODE_CONNECTING]   = "connecting",
80          [VNC_SHARE_MODE_SHARED]       = "shared",
81          [VNC_SHARE_MODE_EXCLUSIVE]    = "exclusive",
82          [VNC_SHARE_MODE_DISCONNECTED] = "disconnected",
83      };
84      fprintf(stderr, "%s/%p: %s -> %s\n", __func__,
85              vs->ioc, mn[vs->share_mode], mn[mode]);
86  #endif
87  
88      switch (vs->share_mode) {
89      case VNC_SHARE_MODE_CONNECTING:
90          vs->vd->num_connecting--;
91          break;
92      case VNC_SHARE_MODE_SHARED:
93          vs->vd->num_shared--;
94          break;
95      case VNC_SHARE_MODE_EXCLUSIVE:
96          vs->vd->num_exclusive--;
97          break;
98      default:
99          break;
100      }
101  
102      vs->share_mode = mode;
103  
104      switch (vs->share_mode) {
105      case VNC_SHARE_MODE_CONNECTING:
106          vs->vd->num_connecting++;
107          break;
108      case VNC_SHARE_MODE_SHARED:
109          vs->vd->num_shared++;
110          break;
111      case VNC_SHARE_MODE_EXCLUSIVE:
112          vs->vd->num_exclusive++;
113          break;
114      default:
115          break;
116      }
117  }
118  
119  
120  static void vnc_init_basic_info(SocketAddress *addr,
121                                  VncBasicInfo *info,
122                                  Error **errp)
123  {
124      switch (addr->type) {
125      case SOCKET_ADDRESS_TYPE_INET:
126          info->host = g_strdup(addr->u.inet.host);
127          info->service = g_strdup(addr->u.inet.port);
128          if (addr->u.inet.ipv6) {
129              info->family = NETWORK_ADDRESS_FAMILY_IPV6;
130          } else {
131              info->family = NETWORK_ADDRESS_FAMILY_IPV4;
132          }
133          break;
134  
135      case SOCKET_ADDRESS_TYPE_UNIX:
136          info->host = g_strdup("");
137          info->service = g_strdup(addr->u.q_unix.path);
138          info->family = NETWORK_ADDRESS_FAMILY_UNIX;
139          break;
140  
141      case SOCKET_ADDRESS_TYPE_VSOCK:
142      case SOCKET_ADDRESS_TYPE_FD:
143          error_setg(errp, "Unsupported socket address type %s",
144                     SocketAddressType_str(addr->type));
145          break;
146      default:
147          abort();
148      }
149  
150      return;
151  }
152  
153  static void vnc_init_basic_info_from_server_addr(QIOChannelSocket *ioc,
154                                                   VncBasicInfo *info,
155                                                   Error **errp)
156  {
157      SocketAddress *addr = NULL;
158  
159      if (!ioc) {
160          error_setg(errp, "No listener socket available");
161          return;
162      }
163  
164      addr = qio_channel_socket_get_local_address(ioc, errp);
165      if (!addr) {
166          return;
167      }
168  
169      vnc_init_basic_info(addr, info, errp);
170      qapi_free_SocketAddress(addr);
171  }
172  
173  static void vnc_init_basic_info_from_remote_addr(QIOChannelSocket *ioc,
174                                                   VncBasicInfo *info,
175                                                   Error **errp)
176  {
177      SocketAddress *addr = NULL;
178  
179      addr = qio_channel_socket_get_remote_address(ioc, errp);
180      if (!addr) {
181          return;
182      }
183  
184      vnc_init_basic_info(addr, info, errp);
185      qapi_free_SocketAddress(addr);
186  }
187  
188  static const char *vnc_auth_name(VncDisplay *vd) {
189      switch (vd->auth) {
190      case VNC_AUTH_INVALID:
191          return "invalid";
192      case VNC_AUTH_NONE:
193          return "none";
194      case VNC_AUTH_VNC:
195          return "vnc";
196      case VNC_AUTH_RA2:
197          return "ra2";
198      case VNC_AUTH_RA2NE:
199          return "ra2ne";
200      case VNC_AUTH_TIGHT:
201          return "tight";
202      case VNC_AUTH_ULTRA:
203          return "ultra";
204      case VNC_AUTH_TLS:
205          return "tls";
206      case VNC_AUTH_VENCRYPT:
207          switch (vd->subauth) {
208          case VNC_AUTH_VENCRYPT_PLAIN:
209              return "vencrypt+plain";
210          case VNC_AUTH_VENCRYPT_TLSNONE:
211              return "vencrypt+tls+none";
212          case VNC_AUTH_VENCRYPT_TLSVNC:
213              return "vencrypt+tls+vnc";
214          case VNC_AUTH_VENCRYPT_TLSPLAIN:
215              return "vencrypt+tls+plain";
216          case VNC_AUTH_VENCRYPT_X509NONE:
217              return "vencrypt+x509+none";
218          case VNC_AUTH_VENCRYPT_X509VNC:
219              return "vencrypt+x509+vnc";
220          case VNC_AUTH_VENCRYPT_X509PLAIN:
221              return "vencrypt+x509+plain";
222          case VNC_AUTH_VENCRYPT_TLSSASL:
223              return "vencrypt+tls+sasl";
224          case VNC_AUTH_VENCRYPT_X509SASL:
225              return "vencrypt+x509+sasl";
226          default:
227              return "vencrypt";
228          }
229      case VNC_AUTH_SASL:
230          return "sasl";
231      }
232      return "unknown";
233  }
234  
235  static VncServerInfo *vnc_server_info_get(VncDisplay *vd)
236  {
237      VncServerInfo *info;
238      Error *err = NULL;
239  
240      if (!vd->listener || !vd->listener->nsioc) {
241          return NULL;
242      }
243  
244      info = g_malloc0(sizeof(*info));
245      vnc_init_basic_info_from_server_addr(vd->listener->sioc[0],
246                                           qapi_VncServerInfo_base(info), &err);
247      info->has_auth = true;
248      info->auth = g_strdup(vnc_auth_name(vd));
249      if (err) {
250          qapi_free_VncServerInfo(info);
251          info = NULL;
252          error_free(err);
253      }
254      return info;
255  }
256  
257  static void vnc_client_cache_auth(VncState *client)
258  {
259      if (!client->info) {
260          return;
261      }
262  
263      if (client->tls) {
264          client->info->x509_dname =
265              qcrypto_tls_session_get_peer_name(client->tls);
266          client->info->has_x509_dname =
267              client->info->x509_dname != NULL;
268      }
269  #ifdef CONFIG_VNC_SASL
270      if (client->sasl.conn &&
271          client->sasl.username) {
272          client->info->has_sasl_username = true;
273          client->info->sasl_username = g_strdup(client->sasl.username);
274      }
275  #endif
276  }
277  
278  static void vnc_client_cache_addr(VncState *client)
279  {
280      Error *err = NULL;
281  
282      client->info = g_malloc0(sizeof(*client->info));
283      vnc_init_basic_info_from_remote_addr(client->sioc,
284                                           qapi_VncClientInfo_base(client->info),
285                                           &err);
286      client->info->websocket = client->websocket;
287      if (err) {
288          qapi_free_VncClientInfo(client->info);
289          client->info = NULL;
290          error_free(err);
291      }
292  }
293  
294  static void vnc_qmp_event(VncState *vs, QAPIEvent event)
295  {
296      VncServerInfo *si;
297  
298      if (!vs->info) {
299          return;
300      }
301  
302      si = vnc_server_info_get(vs->vd);
303      if (!si) {
304          return;
305      }
306  
307      switch (event) {
308      case QAPI_EVENT_VNC_CONNECTED:
309          qapi_event_send_vnc_connected(si, qapi_VncClientInfo_base(vs->info));
310          break;
311      case QAPI_EVENT_VNC_INITIALIZED:
312          qapi_event_send_vnc_initialized(si, vs->info);
313          break;
314      case QAPI_EVENT_VNC_DISCONNECTED:
315          qapi_event_send_vnc_disconnected(si, vs->info);
316          break;
317      default:
318          break;
319      }
320  
321      qapi_free_VncServerInfo(si);
322  }
323  
324  static VncClientInfo *qmp_query_vnc_client(const VncState *client)
325  {
326      VncClientInfo *info;
327      Error *err = NULL;
328  
329      info = g_malloc0(sizeof(*info));
330  
331      vnc_init_basic_info_from_remote_addr(client->sioc,
332                                           qapi_VncClientInfo_base(info),
333                                           &err);
334      if (err) {
335          error_free(err);
336          qapi_free_VncClientInfo(info);
337          return NULL;
338      }
339  
340      info->websocket = client->websocket;
341  
342      if (client->tls) {
343          info->x509_dname = qcrypto_tls_session_get_peer_name(client->tls);
344          info->has_x509_dname = info->x509_dname != NULL;
345      }
346  #ifdef CONFIG_VNC_SASL
347      if (client->sasl.conn && client->sasl.username) {
348          info->has_sasl_username = true;
349          info->sasl_username = g_strdup(client->sasl.username);
350      }
351  #endif
352  
353      return info;
354  }
355  
356  static VncDisplay *vnc_display_find(const char *id)
357  {
358      VncDisplay *vd;
359  
360      if (id == NULL) {
361          return QTAILQ_FIRST(&vnc_displays);
362      }
363      QTAILQ_FOREACH(vd, &vnc_displays, next) {
364          if (strcmp(id, vd->id) == 0) {
365              return vd;
366          }
367      }
368      return NULL;
369  }
370  
371  static VncClientInfoList *qmp_query_client_list(VncDisplay *vd)
372  {
373      VncClientInfoList *prev = NULL;
374      VncState *client;
375  
376      QTAILQ_FOREACH(client, &vd->clients, next) {
377          QAPI_LIST_PREPEND(prev, qmp_query_vnc_client(client));
378      }
379      return prev;
380  }
381  
382  VncInfo *qmp_query_vnc(Error **errp)
383  {
384      VncInfo *info = g_malloc0(sizeof(*info));
385      VncDisplay *vd = vnc_display_find(NULL);
386      SocketAddress *addr = NULL;
387  
388      if (vd == NULL || !vd->listener || !vd->listener->nsioc) {
389          info->enabled = false;
390      } else {
391          info->enabled = true;
392  
393          /* for compatibility with the original command */
394          info->has_clients = true;
395          info->clients = qmp_query_client_list(vd);
396  
397          addr = qio_channel_socket_get_local_address(vd->listener->sioc[0],
398                                                      errp);
399          if (!addr) {
400              goto out_error;
401          }
402  
403          switch (addr->type) {
404          case SOCKET_ADDRESS_TYPE_INET:
405              info->host = g_strdup(addr->u.inet.host);
406              info->service = g_strdup(addr->u.inet.port);
407              if (addr->u.inet.ipv6) {
408                  info->family = NETWORK_ADDRESS_FAMILY_IPV6;
409              } else {
410                  info->family = NETWORK_ADDRESS_FAMILY_IPV4;
411              }
412              break;
413  
414          case SOCKET_ADDRESS_TYPE_UNIX:
415              info->host = g_strdup("");
416              info->service = g_strdup(addr->u.q_unix.path);
417              info->family = NETWORK_ADDRESS_FAMILY_UNIX;
418              break;
419  
420          case SOCKET_ADDRESS_TYPE_VSOCK:
421          case SOCKET_ADDRESS_TYPE_FD:
422              error_setg(errp, "Unsupported socket address type %s",
423                         SocketAddressType_str(addr->type));
424              goto out_error;
425          default:
426              abort();
427          }
428  
429          info->has_host = true;
430          info->has_service = true;
431          info->has_family = true;
432  
433          info->has_auth = true;
434          info->auth = g_strdup(vnc_auth_name(vd));
435      }
436  
437      qapi_free_SocketAddress(addr);
438      return info;
439  
440  out_error:
441      qapi_free_SocketAddress(addr);
442      qapi_free_VncInfo(info);
443      return NULL;
444  }
445  
446  
447  static void qmp_query_auth(int auth, int subauth,
448                             VncPrimaryAuth *qmp_auth,
449                             VncVencryptSubAuth *qmp_vencrypt,
450                             bool *qmp_has_vencrypt);
451  
452  static VncServerInfo2List *qmp_query_server_entry(QIOChannelSocket *ioc,
453                                                    bool websocket,
454                                                    int auth,
455                                                    int subauth,
456                                                    VncServerInfo2List *prev)
457  {
458      VncServerInfo2 *info;
459      Error *err = NULL;
460      SocketAddress *addr;
461  
462      addr = qio_channel_socket_get_local_address(ioc, NULL);
463      if (!addr) {
464          return prev;
465      }
466  
467      info = g_new0(VncServerInfo2, 1);
468      vnc_init_basic_info(addr, qapi_VncServerInfo2_base(info), &err);
469      qapi_free_SocketAddress(addr);
470      if (err) {
471          qapi_free_VncServerInfo2(info);
472          error_free(err);
473          return prev;
474      }
475      info->websocket = websocket;
476  
477      qmp_query_auth(auth, subauth, &info->auth,
478                     &info->vencrypt, &info->has_vencrypt);
479  
480      QAPI_LIST_PREPEND(prev, info);
481      return prev;
482  }
483  
484  static void qmp_query_auth(int auth, int subauth,
485                             VncPrimaryAuth *qmp_auth,
486                             VncVencryptSubAuth *qmp_vencrypt,
487                             bool *qmp_has_vencrypt)
488  {
489      switch (auth) {
490      case VNC_AUTH_VNC:
491          *qmp_auth = VNC_PRIMARY_AUTH_VNC;
492          break;
493      case VNC_AUTH_RA2:
494          *qmp_auth = VNC_PRIMARY_AUTH_RA2;
495          break;
496      case VNC_AUTH_RA2NE:
497          *qmp_auth = VNC_PRIMARY_AUTH_RA2NE;
498          break;
499      case VNC_AUTH_TIGHT:
500          *qmp_auth = VNC_PRIMARY_AUTH_TIGHT;
501          break;
502      case VNC_AUTH_ULTRA:
503          *qmp_auth = VNC_PRIMARY_AUTH_ULTRA;
504          break;
505      case VNC_AUTH_TLS:
506          *qmp_auth = VNC_PRIMARY_AUTH_TLS;
507          break;
508      case VNC_AUTH_VENCRYPT:
509          *qmp_auth = VNC_PRIMARY_AUTH_VENCRYPT;
510          *qmp_has_vencrypt = true;
511          switch (subauth) {
512          case VNC_AUTH_VENCRYPT_PLAIN:
513              *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_PLAIN;
514              break;
515          case VNC_AUTH_VENCRYPT_TLSNONE:
516              *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_NONE;
517              break;
518          case VNC_AUTH_VENCRYPT_TLSVNC:
519              *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_VNC;
520              break;
521          case VNC_AUTH_VENCRYPT_TLSPLAIN:
522              *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_PLAIN;
523              break;
524          case VNC_AUTH_VENCRYPT_X509NONE:
525              *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_NONE;
526              break;
527          case VNC_AUTH_VENCRYPT_X509VNC:
528              *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_VNC;
529              break;
530          case VNC_AUTH_VENCRYPT_X509PLAIN:
531              *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_PLAIN;
532              break;
533          case VNC_AUTH_VENCRYPT_TLSSASL:
534              *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_SASL;
535              break;
536          case VNC_AUTH_VENCRYPT_X509SASL:
537              *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_SASL;
538              break;
539          default:
540              *qmp_has_vencrypt = false;
541              break;
542          }
543          break;
544      case VNC_AUTH_SASL:
545          *qmp_auth = VNC_PRIMARY_AUTH_SASL;
546          break;
547      case VNC_AUTH_NONE:
548      default:
549          *qmp_auth = VNC_PRIMARY_AUTH_NONE;
550          break;
551      }
552  }
553  
554  VncInfo2List *qmp_query_vnc_servers(Error **errp)
555  {
556      VncInfo2List *prev = NULL;
557      VncInfo2 *info;
558      VncDisplay *vd;
559      DeviceState *dev;
560      size_t i;
561  
562      QTAILQ_FOREACH(vd, &vnc_displays, next) {
563          info = g_new0(VncInfo2, 1);
564          info->id = g_strdup(vd->id);
565          info->clients = qmp_query_client_list(vd);
566          qmp_query_auth(vd->auth, vd->subauth, &info->auth,
567                         &info->vencrypt, &info->has_vencrypt);
568          if (vd->dcl.con) {
569              dev = DEVICE(object_property_get_link(OBJECT(vd->dcl.con),
570                                                    "device", &error_abort));
571              info->has_display = true;
572              info->display = g_strdup(dev->id);
573          }
574          for (i = 0; vd->listener != NULL && i < vd->listener->nsioc; i++) {
575              info->server = qmp_query_server_entry(
576                  vd->listener->sioc[i], false, vd->auth, vd->subauth,
577                  info->server);
578          }
579          for (i = 0; vd->wslistener != NULL && i < vd->wslistener->nsioc; i++) {
580              info->server = qmp_query_server_entry(
581                  vd->wslistener->sioc[i], true, vd->ws_auth,
582                  vd->ws_subauth, info->server);
583          }
584  
585          QAPI_LIST_PREPEND(prev, info);
586      }
587      return prev;
588  }
589  
590  bool vnc_display_reload_certs(const char *id, Error **errp)
591  {
592      VncDisplay *vd = vnc_display_find(id);
593      QCryptoTLSCredsClass *creds = NULL;
594  
595      if (!vd) {
596          error_setg(errp, "Can not find vnc display");
597          return false;
598      }
599  
600      if (!vd->tlscreds) {
601          error_setg(errp, "vnc tls is not enabled");
602          return false;
603      }
604  
605      creds = QCRYPTO_TLS_CREDS_GET_CLASS(OBJECT(vd->tlscreds));
606      if (creds->reload == NULL) {
607          error_setg(errp, "%s doesn't support to reload TLS credential",
608                     object_get_typename(OBJECT(vd->tlscreds)));
609          return false;
610      }
611      if (!creds->reload(vd->tlscreds, errp)) {
612          return false;
613      }
614  
615      return true;
616  }
617  
618  /* TODO
619     1) Get the queue working for IO.
620     2) there is some weirdness when using the -S option (the screen is grey
621        and not totally invalidated
622     3) resolutions > 1024
623  */
624  
625  static int vnc_update_client(VncState *vs, int has_dirty);
626  static void vnc_disconnect_start(VncState *vs);
627  
628  static void vnc_colordepth(VncState *vs);
629  static void framebuffer_update_request(VncState *vs, int incremental,
630                                         int x_position, int y_position,
631                                         int w, int h);
632  static void vnc_refresh(DisplayChangeListener *dcl);
633  static int vnc_refresh_server_surface(VncDisplay *vd);
634  
635  static int vnc_width(VncDisplay *vd)
636  {
637      return MIN(VNC_MAX_WIDTH, ROUND_UP(surface_width(vd->ds),
638                                         VNC_DIRTY_PIXELS_PER_BIT));
639  }
640  
641  static int vnc_true_width(VncDisplay *vd)
642  {
643      return MIN(VNC_MAX_WIDTH, surface_width(vd->ds));
644  }
645  
646  static int vnc_height(VncDisplay *vd)
647  {
648      return MIN(VNC_MAX_HEIGHT, surface_height(vd->ds));
649  }
650  
651  static void vnc_set_area_dirty(DECLARE_BITMAP(dirty[VNC_MAX_HEIGHT],
652                                 VNC_MAX_WIDTH / VNC_DIRTY_PIXELS_PER_BIT),
653                                 VncDisplay *vd,
654                                 int x, int y, int w, int h)
655  {
656      int width = vnc_width(vd);
657      int height = vnc_height(vd);
658  
659      /* this is needed this to ensure we updated all affected
660       * blocks if x % VNC_DIRTY_PIXELS_PER_BIT != 0 */
661      w += (x % VNC_DIRTY_PIXELS_PER_BIT);
662      x -= (x % VNC_DIRTY_PIXELS_PER_BIT);
663  
664      x = MIN(x, width);
665      y = MIN(y, height);
666      w = MIN(x + w, width) - x;
667      h = MIN(y + h, height);
668  
669      for (; y < h; y++) {
670          bitmap_set(dirty[y], x / VNC_DIRTY_PIXELS_PER_BIT,
671                     DIV_ROUND_UP(w, VNC_DIRTY_PIXELS_PER_BIT));
672      }
673  }
674  
675  static void vnc_dpy_update(DisplayChangeListener *dcl,
676                             int x, int y, int w, int h)
677  {
678      VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
679      struct VncSurface *s = &vd->guest;
680  
681      vnc_set_area_dirty(s->dirty, vd, x, y, w, h);
682  }
683  
684  void vnc_framebuffer_update(VncState *vs, int x, int y, int w, int h,
685                              int32_t encoding)
686  {
687      vnc_write_u16(vs, x);
688      vnc_write_u16(vs, y);
689      vnc_write_u16(vs, w);
690      vnc_write_u16(vs, h);
691  
692      vnc_write_s32(vs, encoding);
693  }
694  
695  static void vnc_desktop_resize_ext(VncState *vs, int reject_reason)
696  {
697      trace_vnc_msg_server_ext_desktop_resize(
698          vs, vs->ioc, vs->client_width, vs->client_height, reject_reason);
699  
700      vnc_lock_output(vs);
701      vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
702      vnc_write_u8(vs, 0);
703      vnc_write_u16(vs, 1); /* number of rects */
704      vnc_framebuffer_update(vs,
705                             reject_reason ? 1 : 0,
706                             reject_reason,
707                             vs->client_width, vs->client_height,
708                             VNC_ENCODING_DESKTOP_RESIZE_EXT);
709      vnc_write_u8(vs, 1);  /* number of screens */
710      vnc_write_u8(vs, 0);  /* padding */
711      vnc_write_u8(vs, 0);  /* padding */
712      vnc_write_u8(vs, 0);  /* padding */
713      vnc_write_u32(vs, 0); /* screen id */
714      vnc_write_u16(vs, 0); /* screen x-pos */
715      vnc_write_u16(vs, 0); /* screen y-pos */
716      vnc_write_u16(vs, vs->client_width);
717      vnc_write_u16(vs, vs->client_height);
718      vnc_write_u32(vs, 0); /* screen flags */
719      vnc_unlock_output(vs);
720      vnc_flush(vs);
721  }
722  
723  static void vnc_desktop_resize(VncState *vs)
724  {
725      if (vs->ioc == NULL || (!vnc_has_feature(vs, VNC_FEATURE_RESIZE) &&
726                              !vnc_has_feature(vs, VNC_FEATURE_RESIZE_EXT))) {
727          return;
728      }
729      if (vs->client_width == vs->vd->true_width &&
730          vs->client_height == pixman_image_get_height(vs->vd->server)) {
731          return;
732      }
733  
734      assert(vs->vd->true_width < 65536 &&
735             vs->vd->true_width >= 0);
736      assert(pixman_image_get_height(vs->vd->server) < 65536 &&
737             pixman_image_get_height(vs->vd->server) >= 0);
738      vs->client_width = vs->vd->true_width;
739      vs->client_height = pixman_image_get_height(vs->vd->server);
740  
741      if (vnc_has_feature(vs, VNC_FEATURE_RESIZE_EXT)) {
742          vnc_desktop_resize_ext(vs, 0);
743          return;
744      }
745  
746      trace_vnc_msg_server_desktop_resize(
747          vs, vs->ioc, vs->client_width, vs->client_height);
748  
749      vnc_lock_output(vs);
750      vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
751      vnc_write_u8(vs, 0);
752      vnc_write_u16(vs, 1); /* number of rects */
753      vnc_framebuffer_update(vs, 0, 0, vs->client_width, vs->client_height,
754                             VNC_ENCODING_DESKTOPRESIZE);
755      vnc_unlock_output(vs);
756      vnc_flush(vs);
757  }
758  
759  static void vnc_abort_display_jobs(VncDisplay *vd)
760  {
761      VncState *vs;
762  
763      QTAILQ_FOREACH(vs, &vd->clients, next) {
764          vnc_lock_output(vs);
765          vs->abort = true;
766          vnc_unlock_output(vs);
767      }
768      QTAILQ_FOREACH(vs, &vd->clients, next) {
769          vnc_jobs_join(vs);
770      }
771      QTAILQ_FOREACH(vs, &vd->clients, next) {
772          vnc_lock_output(vs);
773          if (vs->update == VNC_STATE_UPDATE_NONE &&
774              vs->job_update != VNC_STATE_UPDATE_NONE) {
775              /* job aborted before completion */
776              vs->update = vs->job_update;
777              vs->job_update = VNC_STATE_UPDATE_NONE;
778          }
779          vs->abort = false;
780          vnc_unlock_output(vs);
781      }
782  }
783  
784  int vnc_server_fb_stride(VncDisplay *vd)
785  {
786      return pixman_image_get_stride(vd->server);
787  }
788  
789  void *vnc_server_fb_ptr(VncDisplay *vd, int x, int y)
790  {
791      uint8_t *ptr;
792  
793      ptr  = (uint8_t *)pixman_image_get_data(vd->server);
794      ptr += y * vnc_server_fb_stride(vd);
795      ptr += x * VNC_SERVER_FB_BYTES;
796      return ptr;
797  }
798  
799  static void vnc_update_server_surface(VncDisplay *vd)
800  {
801      int width, height;
802  
803      qemu_pixman_image_unref(vd->server);
804      vd->server = NULL;
805  
806      if (QTAILQ_EMPTY(&vd->clients)) {
807          return;
808      }
809  
810      width = vnc_width(vd);
811      height = vnc_height(vd);
812      vd->true_width = vnc_true_width(vd);
813      vd->server = pixman_image_create_bits(VNC_SERVER_FB_FORMAT,
814                                            width, height,
815                                            NULL, 0);
816  
817      memset(vd->guest.dirty, 0x00, sizeof(vd->guest.dirty));
818      vnc_set_area_dirty(vd->guest.dirty, vd, 0, 0,
819                         width, height);
820  }
821  
822  static bool vnc_check_pageflip(DisplaySurface *s1,
823                                 DisplaySurface *s2)
824  {
825      return (s1 != NULL &&
826              s2 != NULL &&
827              surface_width(s1) == surface_width(s2) &&
828              surface_height(s1) == surface_height(s2) &&
829              surface_format(s1) == surface_format(s2));
830  
831  }
832  
833  static void vnc_dpy_switch(DisplayChangeListener *dcl,
834                             DisplaySurface *surface)
835  {
836      VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
837      bool pageflip = vnc_check_pageflip(vd->ds, surface);
838      VncState *vs;
839  
840      vnc_abort_display_jobs(vd);
841      vd->ds = surface;
842  
843      /* guest surface */
844      qemu_pixman_image_unref(vd->guest.fb);
845      vd->guest.fb = pixman_image_ref(surface->image);
846      vd->guest.format = surface->format;
847  
848  
849      if (pageflip) {
850          trace_vnc_server_dpy_pageflip(vd,
851                                        surface_width(surface),
852                                        surface_height(surface),
853                                        surface_format(surface));
854          vnc_set_area_dirty(vd->guest.dirty, vd, 0, 0,
855                             surface_width(surface),
856                             surface_height(surface));
857          return;
858      }
859  
860      trace_vnc_server_dpy_recreate(vd,
861                                    surface_width(surface),
862                                    surface_height(surface),
863                                    surface_format(surface));
864      /* server surface */
865      vnc_update_server_surface(vd);
866  
867      QTAILQ_FOREACH(vs, &vd->clients, next) {
868          vnc_colordepth(vs);
869          vnc_desktop_resize(vs);
870          vnc_cursor_define(vs);
871          memset(vs->dirty, 0x00, sizeof(vs->dirty));
872          vnc_set_area_dirty(vs->dirty, vd, 0, 0,
873                             vnc_width(vd),
874                             vnc_height(vd));
875          vnc_update_throttle_offset(vs);
876      }
877  }
878  
879  /* fastest code */
880  static void vnc_write_pixels_copy(VncState *vs,
881                                    void *pixels, int size)
882  {
883      vnc_write(vs, pixels, size);
884  }
885  
886  /* slowest but generic code. */
887  void vnc_convert_pixel(VncState *vs, uint8_t *buf, uint32_t v)
888  {
889      uint8_t r, g, b;
890  
891  #if VNC_SERVER_FB_FORMAT == PIXMAN_FORMAT(32, PIXMAN_TYPE_ARGB, 0, 8, 8, 8)
892      r = (((v & 0x00ff0000) >> 16) << vs->client_pf.rbits) >> 8;
893      g = (((v & 0x0000ff00) >>  8) << vs->client_pf.gbits) >> 8;
894      b = (((v & 0x000000ff) >>  0) << vs->client_pf.bbits) >> 8;
895  #else
896  # error need some bits here if you change VNC_SERVER_FB_FORMAT
897  #endif
898      v = (r << vs->client_pf.rshift) |
899          (g << vs->client_pf.gshift) |
900          (b << vs->client_pf.bshift);
901      switch (vs->client_pf.bytes_per_pixel) {
902      case 1:
903          buf[0] = v;
904          break;
905      case 2:
906          if (vs->client_be) {
907              buf[0] = v >> 8;
908              buf[1] = v;
909          } else {
910              buf[1] = v >> 8;
911              buf[0] = v;
912          }
913          break;
914      default:
915      case 4:
916          if (vs->client_be) {
917              buf[0] = v >> 24;
918              buf[1] = v >> 16;
919              buf[2] = v >> 8;
920              buf[3] = v;
921          } else {
922              buf[3] = v >> 24;
923              buf[2] = v >> 16;
924              buf[1] = v >> 8;
925              buf[0] = v;
926          }
927          break;
928      }
929  }
930  
931  static void vnc_write_pixels_generic(VncState *vs,
932                                       void *pixels1, int size)
933  {
934      uint8_t buf[4];
935  
936      if (VNC_SERVER_FB_BYTES == 4) {
937          uint32_t *pixels = pixels1;
938          int n, i;
939          n = size >> 2;
940          for (i = 0; i < n; i++) {
941              vnc_convert_pixel(vs, buf, pixels[i]);
942              vnc_write(vs, buf, vs->client_pf.bytes_per_pixel);
943          }
944      }
945  }
946  
947  int vnc_raw_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
948  {
949      int i;
950      uint8_t *row;
951      VncDisplay *vd = vs->vd;
952  
953      row = vnc_server_fb_ptr(vd, x, y);
954      for (i = 0; i < h; i++) {
955          vs->write_pixels(vs, row, w * VNC_SERVER_FB_BYTES);
956          row += vnc_server_fb_stride(vd);
957      }
958      return 1;
959  }
960  
961  int vnc_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
962  {
963      int n = 0;
964  
965      switch(vs->vnc_encoding) {
966          case VNC_ENCODING_ZLIB:
967              n = vnc_zlib_send_framebuffer_update(vs, x, y, w, h);
968              break;
969          case VNC_ENCODING_HEXTILE:
970              vnc_framebuffer_update(vs, x, y, w, h, VNC_ENCODING_HEXTILE);
971              n = vnc_hextile_send_framebuffer_update(vs, x, y, w, h);
972              break;
973          case VNC_ENCODING_TIGHT:
974              n = vnc_tight_send_framebuffer_update(vs, x, y, w, h);
975              break;
976          case VNC_ENCODING_TIGHT_PNG:
977              n = vnc_tight_png_send_framebuffer_update(vs, x, y, w, h);
978              break;
979          case VNC_ENCODING_ZRLE:
980              n = vnc_zrle_send_framebuffer_update(vs, x, y, w, h);
981              break;
982          case VNC_ENCODING_ZYWRLE:
983              n = vnc_zywrle_send_framebuffer_update(vs, x, y, w, h);
984              break;
985          default:
986              vnc_framebuffer_update(vs, x, y, w, h, VNC_ENCODING_RAW);
987              n = vnc_raw_send_framebuffer_update(vs, x, y, w, h);
988              break;
989      }
990      return n;
991  }
992  
993  static void vnc_mouse_set(DisplayChangeListener *dcl,
994                            int x, int y, int visible)
995  {
996      /* can we ask the client(s) to move the pointer ??? */
997  }
998  
999  static int vnc_cursor_define(VncState *vs)
1000  {
1001      QEMUCursor *c = vs->vd->cursor;
1002      int isize;
1003  
1004      if (!vs->vd->cursor) {
1005          return -1;
1006      }
1007  
1008      if (vnc_has_feature(vs, VNC_FEATURE_ALPHA_CURSOR)) {
1009          vnc_lock_output(vs);
1010          vnc_write_u8(vs,  VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1011          vnc_write_u8(vs,  0);  /*  padding     */
1012          vnc_write_u16(vs, 1);  /*  # of rects  */
1013          vnc_framebuffer_update(vs, c->hot_x, c->hot_y, c->width, c->height,
1014                                 VNC_ENCODING_ALPHA_CURSOR);
1015          vnc_write_s32(vs, VNC_ENCODING_RAW);
1016          vnc_write(vs, c->data, c->width * c->height * 4);
1017          vnc_unlock_output(vs);
1018          return 0;
1019      }
1020      if (vnc_has_feature(vs, VNC_FEATURE_RICH_CURSOR)) {
1021          vnc_lock_output(vs);
1022          vnc_write_u8(vs,  VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1023          vnc_write_u8(vs,  0);  /*  padding     */
1024          vnc_write_u16(vs, 1);  /*  # of rects  */
1025          vnc_framebuffer_update(vs, c->hot_x, c->hot_y, c->width, c->height,
1026                                 VNC_ENCODING_RICH_CURSOR);
1027          isize = c->width * c->height * vs->client_pf.bytes_per_pixel;
1028          vnc_write_pixels_generic(vs, c->data, isize);
1029          vnc_write(vs, vs->vd->cursor_mask, vs->vd->cursor_msize);
1030          vnc_unlock_output(vs);
1031          return 0;
1032      }
1033      return -1;
1034  }
1035  
1036  static void vnc_dpy_cursor_define(DisplayChangeListener *dcl,
1037                                    QEMUCursor *c)
1038  {
1039      VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
1040      VncState *vs;
1041  
1042      cursor_put(vd->cursor);
1043      g_free(vd->cursor_mask);
1044  
1045      vd->cursor = c;
1046      cursor_get(vd->cursor);
1047      vd->cursor_msize = cursor_get_mono_bpl(c) * c->height;
1048      vd->cursor_mask = g_malloc0(vd->cursor_msize);
1049      cursor_get_mono_mask(c, 0, vd->cursor_mask);
1050  
1051      QTAILQ_FOREACH(vs, &vd->clients, next) {
1052          vnc_cursor_define(vs);
1053      }
1054  }
1055  
1056  static int find_and_clear_dirty_height(VncState *vs,
1057                                         int y, int last_x, int x, int height)
1058  {
1059      int h;
1060  
1061      for (h = 1; h < (height - y); h++) {
1062          if (!test_bit(last_x, vs->dirty[y + h])) {
1063              break;
1064          }
1065          bitmap_clear(vs->dirty[y + h], last_x, x - last_x);
1066      }
1067  
1068      return h;
1069  }
1070  
1071  /*
1072   * Figure out how much pending data we should allow in the output
1073   * buffer before we throttle incremental display updates, and/or
1074   * drop audio samples.
1075   *
1076   * We allow for equiv of 1 full display's worth of FB updates,
1077   * and 1 second of audio samples. If audio backlog was larger
1078   * than that the client would already suffering awful audio
1079   * glitches, so dropping samples is no worse really).
1080   */
1081  static void vnc_update_throttle_offset(VncState *vs)
1082  {
1083      size_t offset =
1084          vs->client_width * vs->client_height * vs->client_pf.bytes_per_pixel;
1085  
1086      if (vs->audio_cap) {
1087          int bps;
1088          switch (vs->as.fmt) {
1089          default:
1090          case  AUDIO_FORMAT_U8:
1091          case  AUDIO_FORMAT_S8:
1092              bps = 1;
1093              break;
1094          case  AUDIO_FORMAT_U16:
1095          case  AUDIO_FORMAT_S16:
1096              bps = 2;
1097              break;
1098          case  AUDIO_FORMAT_U32:
1099          case  AUDIO_FORMAT_S32:
1100              bps = 4;
1101              break;
1102          }
1103          offset += vs->as.freq * bps * vs->as.nchannels;
1104      }
1105  
1106      /* Put a floor of 1MB on offset, so that if we have a large pending
1107       * buffer and the display is resized to a small size & back again
1108       * we don't suddenly apply a tiny send limit
1109       */
1110      offset = MAX(offset, 1024 * 1024);
1111  
1112      if (vs->throttle_output_offset != offset) {
1113          trace_vnc_client_throttle_threshold(
1114              vs, vs->ioc, vs->throttle_output_offset, offset, vs->client_width,
1115              vs->client_height, vs->client_pf.bytes_per_pixel, vs->audio_cap);
1116      }
1117  
1118      vs->throttle_output_offset = offset;
1119  }
1120  
1121  static bool vnc_should_update(VncState *vs)
1122  {
1123      switch (vs->update) {
1124      case VNC_STATE_UPDATE_NONE:
1125          break;
1126      case VNC_STATE_UPDATE_INCREMENTAL:
1127          /* Only allow incremental updates if the pending send queue
1128           * is less than the permitted threshold, and the job worker
1129           * is completely idle.
1130           */
1131          if (vs->output.offset < vs->throttle_output_offset &&
1132              vs->job_update == VNC_STATE_UPDATE_NONE) {
1133              return true;
1134          }
1135          trace_vnc_client_throttle_incremental(
1136              vs, vs->ioc, vs->job_update, vs->output.offset);
1137          break;
1138      case VNC_STATE_UPDATE_FORCE:
1139          /* Only allow forced updates if the pending send queue
1140           * does not contain a previous forced update, and the
1141           * job worker is completely idle.
1142           *
1143           * Note this means we'll queue a forced update, even if
1144           * the output buffer size is otherwise over the throttle
1145           * output limit.
1146           */
1147          if (vs->force_update_offset == 0 &&
1148              vs->job_update == VNC_STATE_UPDATE_NONE) {
1149              return true;
1150          }
1151          trace_vnc_client_throttle_forced(
1152              vs, vs->ioc, vs->job_update, vs->force_update_offset);
1153          break;
1154      }
1155      return false;
1156  }
1157  
1158  static int vnc_update_client(VncState *vs, int has_dirty)
1159  {
1160      VncDisplay *vd = vs->vd;
1161      VncJob *job;
1162      int y;
1163      int height, width;
1164      int n = 0;
1165  
1166      if (vs->disconnecting) {
1167          vnc_disconnect_finish(vs);
1168          return 0;
1169      }
1170  
1171      vs->has_dirty += has_dirty;
1172      if (!vnc_should_update(vs)) {
1173          return 0;
1174      }
1175  
1176      if (!vs->has_dirty && vs->update != VNC_STATE_UPDATE_FORCE) {
1177          return 0;
1178      }
1179  
1180      /*
1181       * Send screen updates to the vnc client using the server
1182       * surface and server dirty map.  guest surface updates
1183       * happening in parallel don't disturb us, the next pass will
1184       * send them to the client.
1185       */
1186      job = vnc_job_new(vs);
1187  
1188      height = pixman_image_get_height(vd->server);
1189      width = pixman_image_get_width(vd->server);
1190  
1191      y = 0;
1192      for (;;) {
1193          int x, h;
1194          unsigned long x2;
1195          unsigned long offset = find_next_bit((unsigned long *) &vs->dirty,
1196                                               height * VNC_DIRTY_BPL(vs),
1197                                               y * VNC_DIRTY_BPL(vs));
1198          if (offset == height * VNC_DIRTY_BPL(vs)) {
1199              /* no more dirty bits */
1200              break;
1201          }
1202          y = offset / VNC_DIRTY_BPL(vs);
1203          x = offset % VNC_DIRTY_BPL(vs);
1204          x2 = find_next_zero_bit((unsigned long *) &vs->dirty[y],
1205                                  VNC_DIRTY_BPL(vs), x);
1206          bitmap_clear(vs->dirty[y], x, x2 - x);
1207          h = find_and_clear_dirty_height(vs, y, x, x2, height);
1208          x2 = MIN(x2, width / VNC_DIRTY_PIXELS_PER_BIT);
1209          if (x2 > x) {
1210              n += vnc_job_add_rect(job, x * VNC_DIRTY_PIXELS_PER_BIT, y,
1211                                    (x2 - x) * VNC_DIRTY_PIXELS_PER_BIT, h);
1212          }
1213          if (!x && x2 == width / VNC_DIRTY_PIXELS_PER_BIT) {
1214              y += h;
1215              if (y == height) {
1216                  break;
1217              }
1218          }
1219      }
1220  
1221      vs->job_update = vs->update;
1222      vs->update = VNC_STATE_UPDATE_NONE;
1223      vnc_job_push(job);
1224      vs->has_dirty = 0;
1225      return n;
1226  }
1227  
1228  /* audio */
1229  static void audio_capture_notify(void *opaque, audcnotification_e cmd)
1230  {
1231      VncState *vs = opaque;
1232  
1233      assert(vs->magic == VNC_MAGIC);
1234      switch (cmd) {
1235      case AUD_CNOTIFY_DISABLE:
1236          trace_vnc_msg_server_audio_end(vs, vs->ioc);
1237          vnc_lock_output(vs);
1238          vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
1239          vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
1240          vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_END);
1241          vnc_unlock_output(vs);
1242          vnc_flush(vs);
1243          break;
1244  
1245      case AUD_CNOTIFY_ENABLE:
1246          trace_vnc_msg_server_audio_begin(vs, vs->ioc);
1247          vnc_lock_output(vs);
1248          vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
1249          vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
1250          vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_BEGIN);
1251          vnc_unlock_output(vs);
1252          vnc_flush(vs);
1253          break;
1254      }
1255  }
1256  
1257  static void audio_capture_destroy(void *opaque)
1258  {
1259  }
1260  
1261  static void audio_capture(void *opaque, const void *buf, int size)
1262  {
1263      VncState *vs = opaque;
1264  
1265      assert(vs->magic == VNC_MAGIC);
1266      trace_vnc_msg_server_audio_data(vs, vs->ioc, buf, size);
1267      vnc_lock_output(vs);
1268      if (vs->output.offset < vs->throttle_output_offset) {
1269          vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
1270          vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
1271          vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_DATA);
1272          vnc_write_u32(vs, size);
1273          vnc_write(vs, buf, size);
1274      } else {
1275          trace_vnc_client_throttle_audio(vs, vs->ioc, vs->output.offset);
1276      }
1277      vnc_unlock_output(vs);
1278      vnc_flush(vs);
1279  }
1280  
1281  static void audio_add(VncState *vs)
1282  {
1283      struct audio_capture_ops ops;
1284  
1285      if (vs->audio_cap) {
1286          error_report("audio already running");
1287          return;
1288      }
1289  
1290      ops.notify = audio_capture_notify;
1291      ops.destroy = audio_capture_destroy;
1292      ops.capture = audio_capture;
1293  
1294      vs->audio_cap = AUD_add_capture(vs->vd->audio_state, &vs->as, &ops, vs);
1295      if (!vs->audio_cap) {
1296          error_report("Failed to add audio capture");
1297      }
1298  }
1299  
1300  static void audio_del(VncState *vs)
1301  {
1302      if (vs->audio_cap) {
1303          AUD_del_capture(vs->audio_cap, vs);
1304          vs->audio_cap = NULL;
1305      }
1306  }
1307  
1308  static void vnc_disconnect_start(VncState *vs)
1309  {
1310      if (vs->disconnecting) {
1311          return;
1312      }
1313      trace_vnc_client_disconnect_start(vs, vs->ioc);
1314      vnc_set_share_mode(vs, VNC_SHARE_MODE_DISCONNECTED);
1315      if (vs->ioc_tag) {
1316          g_source_remove(vs->ioc_tag);
1317          vs->ioc_tag = 0;
1318      }
1319      qio_channel_close(vs->ioc, NULL);
1320      vs->disconnecting = TRUE;
1321  }
1322  
1323  void vnc_disconnect_finish(VncState *vs)
1324  {
1325      int i;
1326  
1327      trace_vnc_client_disconnect_finish(vs, vs->ioc);
1328  
1329      vnc_jobs_join(vs); /* Wait encoding jobs */
1330  
1331      vnc_lock_output(vs);
1332      vnc_qmp_event(vs, QAPI_EVENT_VNC_DISCONNECTED);
1333  
1334      buffer_free(&vs->input);
1335      buffer_free(&vs->output);
1336  
1337      qapi_free_VncClientInfo(vs->info);
1338  
1339      vnc_zlib_clear(vs);
1340      vnc_tight_clear(vs);
1341      vnc_zrle_clear(vs);
1342  
1343  #ifdef CONFIG_VNC_SASL
1344      vnc_sasl_client_cleanup(vs);
1345  #endif /* CONFIG_VNC_SASL */
1346      audio_del(vs);
1347      qkbd_state_lift_all_keys(vs->vd->kbd);
1348  
1349      if (vs->mouse_mode_notifier.notify != NULL) {
1350          qemu_remove_mouse_mode_change_notifier(&vs->mouse_mode_notifier);
1351      }
1352      QTAILQ_REMOVE(&vs->vd->clients, vs, next);
1353      if (QTAILQ_EMPTY(&vs->vd->clients)) {
1354          /* last client gone */
1355          vnc_update_server_surface(vs->vd);
1356      }
1357      if (vs->cbpeer.update.notify) {
1358          qemu_clipboard_peer_unregister(&vs->cbpeer);
1359      }
1360  
1361      vnc_unlock_output(vs);
1362  
1363      qemu_mutex_destroy(&vs->output_mutex);
1364      if (vs->bh != NULL) {
1365          qemu_bh_delete(vs->bh);
1366      }
1367      buffer_free(&vs->jobs_buffer);
1368  
1369      for (i = 0; i < VNC_STAT_ROWS; ++i) {
1370          g_free(vs->lossy_rect[i]);
1371      }
1372      g_free(vs->lossy_rect);
1373  
1374      object_unref(OBJECT(vs->ioc));
1375      vs->ioc = NULL;
1376      object_unref(OBJECT(vs->sioc));
1377      vs->sioc = NULL;
1378      vs->magic = 0;
1379      g_free(vs->zrle);
1380      g_free(vs->tight);
1381      g_free(vs);
1382  }
1383  
1384  size_t vnc_client_io_error(VncState *vs, ssize_t ret, Error *err)
1385  {
1386      if (ret <= 0) {
1387          if (ret == 0) {
1388              trace_vnc_client_eof(vs, vs->ioc);
1389              vnc_disconnect_start(vs);
1390          } else if (ret != QIO_CHANNEL_ERR_BLOCK) {
1391              trace_vnc_client_io_error(vs, vs->ioc,
1392                                        err ? error_get_pretty(err) : "Unknown");
1393              vnc_disconnect_start(vs);
1394          }
1395  
1396          error_free(err);
1397          return 0;
1398      }
1399      return ret;
1400  }
1401  
1402  
1403  void vnc_client_error(VncState *vs)
1404  {
1405      VNC_DEBUG("Closing down client sock: protocol error\n");
1406      vnc_disconnect_start(vs);
1407  }
1408  
1409  
1410  /*
1411   * Called to write a chunk of data to the client socket. The data may
1412   * be the raw data, or may have already been encoded by SASL.
1413   * The data will be written either straight onto the socket, or
1414   * written via the GNUTLS wrappers, if TLS/SSL encryption is enabled
1415   *
1416   * NB, it is theoretically possible to have 2 layers of encryption,
1417   * both SASL, and this TLS layer. It is highly unlikely in practice
1418   * though, since SASL encryption will typically be a no-op if TLS
1419   * is active
1420   *
1421   * Returns the number of bytes written, which may be less than
1422   * the requested 'datalen' if the socket would block. Returns
1423   * 0 on I/O error, and disconnects the client socket.
1424   */
1425  size_t vnc_client_write_buf(VncState *vs, const uint8_t *data, size_t datalen)
1426  {
1427      Error *err = NULL;
1428      ssize_t ret;
1429      ret = qio_channel_write(vs->ioc, (const char *)data, datalen, &err);
1430      VNC_DEBUG("Wrote wire %p %zd -> %ld\n", data, datalen, ret);
1431      return vnc_client_io_error(vs, ret, err);
1432  }
1433  
1434  
1435  /*
1436   * Called to write buffered data to the client socket, when not
1437   * using any SASL SSF encryption layers. Will write as much data
1438   * as possible without blocking. If all buffered data is written,
1439   * will switch the FD poll() handler back to read monitoring.
1440   *
1441   * Returns the number of bytes written, which may be less than
1442   * the buffered output data if the socket would block.  Returns
1443   * 0 on I/O error, and disconnects the client socket.
1444   */
1445  static size_t vnc_client_write_plain(VncState *vs)
1446  {
1447      size_t offset;
1448      size_t ret;
1449  
1450  #ifdef CONFIG_VNC_SASL
1451      VNC_DEBUG("Write Plain: Pending output %p size %zd offset %zd. Wait SSF %d\n",
1452                vs->output.buffer, vs->output.capacity, vs->output.offset,
1453                vs->sasl.waitWriteSSF);
1454  
1455      if (vs->sasl.conn &&
1456          vs->sasl.runSSF &&
1457          vs->sasl.waitWriteSSF) {
1458          ret = vnc_client_write_buf(vs, vs->output.buffer, vs->sasl.waitWriteSSF);
1459          if (ret)
1460              vs->sasl.waitWriteSSF -= ret;
1461      } else
1462  #endif /* CONFIG_VNC_SASL */
1463          ret = vnc_client_write_buf(vs, vs->output.buffer, vs->output.offset);
1464      if (!ret)
1465          return 0;
1466  
1467      if (ret >= vs->force_update_offset) {
1468          if (vs->force_update_offset != 0) {
1469              trace_vnc_client_unthrottle_forced(vs, vs->ioc);
1470          }
1471          vs->force_update_offset = 0;
1472      } else {
1473          vs->force_update_offset -= ret;
1474      }
1475      offset = vs->output.offset;
1476      buffer_advance(&vs->output, ret);
1477      if (offset >= vs->throttle_output_offset &&
1478          vs->output.offset < vs->throttle_output_offset) {
1479          trace_vnc_client_unthrottle_incremental(vs, vs->ioc, vs->output.offset);
1480      }
1481  
1482      if (vs->output.offset == 0) {
1483          if (vs->ioc_tag) {
1484              g_source_remove(vs->ioc_tag);
1485          }
1486          vs->ioc_tag = qio_channel_add_watch(
1487              vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR,
1488              vnc_client_io, vs, NULL);
1489      }
1490  
1491      return ret;
1492  }
1493  
1494  
1495  /*
1496   * First function called whenever there is data to be written to
1497   * the client socket. Will delegate actual work according to whether
1498   * SASL SSF layers are enabled (thus requiring encryption calls)
1499   */
1500  static void vnc_client_write_locked(VncState *vs)
1501  {
1502  #ifdef CONFIG_VNC_SASL
1503      if (vs->sasl.conn &&
1504          vs->sasl.runSSF &&
1505          !vs->sasl.waitWriteSSF) {
1506          vnc_client_write_sasl(vs);
1507      } else
1508  #endif /* CONFIG_VNC_SASL */
1509      {
1510          vnc_client_write_plain(vs);
1511      }
1512  }
1513  
1514  static void vnc_client_write(VncState *vs)
1515  {
1516      assert(vs->magic == VNC_MAGIC);
1517      vnc_lock_output(vs);
1518      if (vs->output.offset) {
1519          vnc_client_write_locked(vs);
1520      } else if (vs->ioc != NULL) {
1521          if (vs->ioc_tag) {
1522              g_source_remove(vs->ioc_tag);
1523          }
1524          vs->ioc_tag = qio_channel_add_watch(
1525              vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR,
1526              vnc_client_io, vs, NULL);
1527      }
1528      vnc_unlock_output(vs);
1529  }
1530  
1531  void vnc_read_when(VncState *vs, VncReadEvent *func, size_t expecting)
1532  {
1533      vs->read_handler = func;
1534      vs->read_handler_expect = expecting;
1535  }
1536  
1537  
1538  /*
1539   * Called to read a chunk of data from the client socket. The data may
1540   * be the raw data, or may need to be further decoded by SASL.
1541   * The data will be read either straight from to the socket, or
1542   * read via the GNUTLS wrappers, if TLS/SSL encryption is enabled
1543   *
1544   * NB, it is theoretically possible to have 2 layers of encryption,
1545   * both SASL, and this TLS layer. It is highly unlikely in practice
1546   * though, since SASL encryption will typically be a no-op if TLS
1547   * is active
1548   *
1549   * Returns the number of bytes read, which may be less than
1550   * the requested 'datalen' if the socket would block. Returns
1551   * 0 on I/O error or EOF, and disconnects the client socket.
1552   */
1553  size_t vnc_client_read_buf(VncState *vs, uint8_t *data, size_t datalen)
1554  {
1555      ssize_t ret;
1556      Error *err = NULL;
1557      ret = qio_channel_read(vs->ioc, (char *)data, datalen, &err);
1558      VNC_DEBUG("Read wire %p %zd -> %ld\n", data, datalen, ret);
1559      return vnc_client_io_error(vs, ret, err);
1560  }
1561  
1562  
1563  /*
1564   * Called to read data from the client socket to the input buffer,
1565   * when not using any SASL SSF encryption layers. Will read as much
1566   * data as possible without blocking.
1567   *
1568   * Returns the number of bytes read, which may be less than
1569   * the requested 'datalen' if the socket would block. Returns
1570   * 0 on I/O error or EOF, and disconnects the client socket.
1571   */
1572  static size_t vnc_client_read_plain(VncState *vs)
1573  {
1574      size_t ret;
1575      VNC_DEBUG("Read plain %p size %zd offset %zd\n",
1576                vs->input.buffer, vs->input.capacity, vs->input.offset);
1577      buffer_reserve(&vs->input, 4096);
1578      ret = vnc_client_read_buf(vs, buffer_end(&vs->input), 4096);
1579      if (!ret)
1580          return 0;
1581      vs->input.offset += ret;
1582      return ret;
1583  }
1584  
1585  static void vnc_jobs_bh(void *opaque)
1586  {
1587      VncState *vs = opaque;
1588  
1589      assert(vs->magic == VNC_MAGIC);
1590      vnc_jobs_consume_buffer(vs);
1591  }
1592  
1593  /*
1594   * First function called whenever there is more data to be read from
1595   * the client socket. Will delegate actual work according to whether
1596   * SASL SSF layers are enabled (thus requiring decryption calls)
1597   * Returns 0 on success, -1 if client disconnected
1598   */
1599  static int vnc_client_read(VncState *vs)
1600  {
1601      size_t ret;
1602  
1603  #ifdef CONFIG_VNC_SASL
1604      if (vs->sasl.conn && vs->sasl.runSSF)
1605          ret = vnc_client_read_sasl(vs);
1606      else
1607  #endif /* CONFIG_VNC_SASL */
1608          ret = vnc_client_read_plain(vs);
1609      if (!ret) {
1610          if (vs->disconnecting) {
1611              vnc_disconnect_finish(vs);
1612              return -1;
1613          }
1614          return 0;
1615      }
1616  
1617      while (vs->read_handler && vs->input.offset >= vs->read_handler_expect) {
1618          size_t len = vs->read_handler_expect;
1619          int ret;
1620  
1621          ret = vs->read_handler(vs, vs->input.buffer, len);
1622          if (vs->disconnecting) {
1623              vnc_disconnect_finish(vs);
1624              return -1;
1625          }
1626  
1627          if (!ret) {
1628              buffer_advance(&vs->input, len);
1629          } else {
1630              vs->read_handler_expect = ret;
1631          }
1632      }
1633      return 0;
1634  }
1635  
1636  gboolean vnc_client_io(QIOChannel *ioc G_GNUC_UNUSED,
1637                         GIOCondition condition, void *opaque)
1638  {
1639      VncState *vs = opaque;
1640  
1641      assert(vs->magic == VNC_MAGIC);
1642  
1643      if (condition & (G_IO_HUP | G_IO_ERR)) {
1644          vnc_disconnect_start(vs);
1645          return TRUE;
1646      }
1647  
1648      if (condition & G_IO_IN) {
1649          if (vnc_client_read(vs) < 0) {
1650              /* vs is free()ed here */
1651              return TRUE;
1652          }
1653      }
1654      if (condition & G_IO_OUT) {
1655          vnc_client_write(vs);
1656      }
1657  
1658      if (vs->disconnecting) {
1659          if (vs->ioc_tag != 0) {
1660              g_source_remove(vs->ioc_tag);
1661          }
1662          vs->ioc_tag = 0;
1663      }
1664      return TRUE;
1665  }
1666  
1667  
1668  /*
1669   * Scale factor to apply to vs->throttle_output_offset when checking for
1670   * hard limit. Worst case normal usage could be x2, if we have a complete
1671   * incremental update and complete forced update in the output buffer.
1672   * So x3 should be good enough, but we pick x5 to be conservative and thus
1673   * (hopefully) never trigger incorrectly.
1674   */
1675  #define VNC_THROTTLE_OUTPUT_LIMIT_SCALE 5
1676  
1677  void vnc_write(VncState *vs, const void *data, size_t len)
1678  {
1679      assert(vs->magic == VNC_MAGIC);
1680      if (vs->disconnecting) {
1681          return;
1682      }
1683      /* Protection against malicious client/guest to prevent our output
1684       * buffer growing without bound if client stops reading data. This
1685       * should rarely trigger, because we have earlier throttling code
1686       * which stops issuing framebuffer updates and drops audio data
1687       * if the throttle_output_offset value is exceeded. So we only reach
1688       * this higher level if a huge number of pseudo-encodings get
1689       * triggered while data can't be sent on the socket.
1690       *
1691       * NB throttle_output_offset can be zero during early protocol
1692       * handshake, or from the job thread's VncState clone
1693       */
1694      if (vs->throttle_output_offset != 0 &&
1695          (vs->output.offset / VNC_THROTTLE_OUTPUT_LIMIT_SCALE) >
1696          vs->throttle_output_offset) {
1697          trace_vnc_client_output_limit(vs, vs->ioc, vs->output.offset,
1698                                        vs->throttle_output_offset);
1699          vnc_disconnect_start(vs);
1700          return;
1701      }
1702      buffer_reserve(&vs->output, len);
1703  
1704      if (vs->ioc != NULL && buffer_empty(&vs->output)) {
1705          if (vs->ioc_tag) {
1706              g_source_remove(vs->ioc_tag);
1707          }
1708          vs->ioc_tag = qio_channel_add_watch(
1709              vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR | G_IO_OUT,
1710              vnc_client_io, vs, NULL);
1711      }
1712  
1713      buffer_append(&vs->output, data, len);
1714  }
1715  
1716  void vnc_write_s32(VncState *vs, int32_t value)
1717  {
1718      vnc_write_u32(vs, *(uint32_t *)&value);
1719  }
1720  
1721  void vnc_write_u32(VncState *vs, uint32_t value)
1722  {
1723      uint8_t buf[4];
1724  
1725      buf[0] = (value >> 24) & 0xFF;
1726      buf[1] = (value >> 16) & 0xFF;
1727      buf[2] = (value >>  8) & 0xFF;
1728      buf[3] = value & 0xFF;
1729  
1730      vnc_write(vs, buf, 4);
1731  }
1732  
1733  void vnc_write_u16(VncState *vs, uint16_t value)
1734  {
1735      uint8_t buf[2];
1736  
1737      buf[0] = (value >> 8) & 0xFF;
1738      buf[1] = value & 0xFF;
1739  
1740      vnc_write(vs, buf, 2);
1741  }
1742  
1743  void vnc_write_u8(VncState *vs, uint8_t value)
1744  {
1745      vnc_write(vs, (char *)&value, 1);
1746  }
1747  
1748  void vnc_flush(VncState *vs)
1749  {
1750      vnc_lock_output(vs);
1751      if (vs->ioc != NULL && vs->output.offset) {
1752          vnc_client_write_locked(vs);
1753      }
1754      if (vs->disconnecting) {
1755          if (vs->ioc_tag != 0) {
1756              g_source_remove(vs->ioc_tag);
1757          }
1758          vs->ioc_tag = 0;
1759      }
1760      vnc_unlock_output(vs);
1761  }
1762  
1763  static uint8_t read_u8(uint8_t *data, size_t offset)
1764  {
1765      return data[offset];
1766  }
1767  
1768  static uint16_t read_u16(uint8_t *data, size_t offset)
1769  {
1770      return ((data[offset] & 0xFF) << 8) | (data[offset + 1] & 0xFF);
1771  }
1772  
1773  static int32_t read_s32(uint8_t *data, size_t offset)
1774  {
1775      return (int32_t)((data[offset] << 24) | (data[offset + 1] << 16) |
1776                       (data[offset + 2] << 8) | data[offset + 3]);
1777  }
1778  
1779  uint32_t read_u32(uint8_t *data, size_t offset)
1780  {
1781      return ((data[offset] << 24) | (data[offset + 1] << 16) |
1782              (data[offset + 2] << 8) | data[offset + 3]);
1783  }
1784  
1785  static void check_pointer_type_change(Notifier *notifier, void *data)
1786  {
1787      VncState *vs = container_of(notifier, VncState, mouse_mode_notifier);
1788      int absolute = qemu_input_is_absolute();
1789  
1790      if (vnc_has_feature(vs, VNC_FEATURE_POINTER_TYPE_CHANGE) && vs->absolute != absolute) {
1791          vnc_lock_output(vs);
1792          vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1793          vnc_write_u8(vs, 0);
1794          vnc_write_u16(vs, 1);
1795          vnc_framebuffer_update(vs, absolute, 0,
1796                                 pixman_image_get_width(vs->vd->server),
1797                                 pixman_image_get_height(vs->vd->server),
1798                                 VNC_ENCODING_POINTER_TYPE_CHANGE);
1799          vnc_unlock_output(vs);
1800          vnc_flush(vs);
1801      }
1802      vs->absolute = absolute;
1803  }
1804  
1805  static void pointer_event(VncState *vs, int button_mask, int x, int y)
1806  {
1807      static uint32_t bmap[INPUT_BUTTON__MAX] = {
1808          [INPUT_BUTTON_LEFT]       = 0x01,
1809          [INPUT_BUTTON_MIDDLE]     = 0x02,
1810          [INPUT_BUTTON_RIGHT]      = 0x04,
1811          [INPUT_BUTTON_WHEEL_UP]   = 0x08,
1812          [INPUT_BUTTON_WHEEL_DOWN] = 0x10,
1813      };
1814      QemuConsole *con = vs->vd->dcl.con;
1815      int width = pixman_image_get_width(vs->vd->server);
1816      int height = pixman_image_get_height(vs->vd->server);
1817  
1818      if (vs->last_bmask != button_mask) {
1819          qemu_input_update_buttons(con, bmap, vs->last_bmask, button_mask);
1820          vs->last_bmask = button_mask;
1821      }
1822  
1823      if (vs->absolute) {
1824          qemu_input_queue_abs(con, INPUT_AXIS_X, x, 0, width);
1825          qemu_input_queue_abs(con, INPUT_AXIS_Y, y, 0, height);
1826      } else if (vnc_has_feature(vs, VNC_FEATURE_POINTER_TYPE_CHANGE)) {
1827          qemu_input_queue_rel(con, INPUT_AXIS_X, x - 0x7FFF);
1828          qemu_input_queue_rel(con, INPUT_AXIS_Y, y - 0x7FFF);
1829      } else {
1830          if (vs->last_x != -1) {
1831              qemu_input_queue_rel(con, INPUT_AXIS_X, x - vs->last_x);
1832              qemu_input_queue_rel(con, INPUT_AXIS_Y, y - vs->last_y);
1833          }
1834          vs->last_x = x;
1835          vs->last_y = y;
1836      }
1837      qemu_input_event_sync();
1838  }
1839  
1840  static void press_key(VncState *vs, QKeyCode qcode)
1841  {
1842      qkbd_state_key_event(vs->vd->kbd, qcode, true);
1843      qkbd_state_key_event(vs->vd->kbd, qcode, false);
1844  }
1845  
1846  static void vnc_led_state_change(VncState *vs)
1847  {
1848      if (!vnc_has_feature(vs, VNC_FEATURE_LED_STATE)) {
1849          return;
1850      }
1851  
1852      vnc_lock_output(vs);
1853      vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1854      vnc_write_u8(vs, 0);
1855      vnc_write_u16(vs, 1);
1856      vnc_framebuffer_update(vs, 0, 0, 1, 1, VNC_ENCODING_LED_STATE);
1857      vnc_write_u8(vs, vs->vd->ledstate);
1858      vnc_unlock_output(vs);
1859      vnc_flush(vs);
1860  }
1861  
1862  static void kbd_leds(void *opaque, int ledstate)
1863  {
1864      VncDisplay *vd = opaque;
1865      VncState *client;
1866  
1867      trace_vnc_key_guest_leds((ledstate & QEMU_CAPS_LOCK_LED),
1868                               (ledstate & QEMU_NUM_LOCK_LED),
1869                               (ledstate & QEMU_SCROLL_LOCK_LED));
1870  
1871      if (ledstate == vd->ledstate) {
1872          return;
1873      }
1874  
1875      vd->ledstate = ledstate;
1876  
1877      QTAILQ_FOREACH(client, &vd->clients, next) {
1878          vnc_led_state_change(client);
1879      }
1880  }
1881  
1882  static void do_key_event(VncState *vs, int down, int keycode, int sym)
1883  {
1884      QKeyCode qcode = qemu_input_key_number_to_qcode(keycode);
1885  
1886      /* QEMU console switch */
1887      switch (qcode) {
1888      case Q_KEY_CODE_1 ... Q_KEY_CODE_9: /* '1' to '9' keys */
1889          if (vs->vd->dcl.con == NULL && down &&
1890              qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_CTRL) &&
1891              qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_ALT)) {
1892              /* Reset the modifiers sent to the current console */
1893              qkbd_state_lift_all_keys(vs->vd->kbd);
1894              console_select(qcode - Q_KEY_CODE_1);
1895              return;
1896          }
1897      default:
1898          break;
1899      }
1900  
1901      /* Turn off the lock state sync logic if the client support the led
1902         state extension.
1903      */
1904      if (down && vs->vd->lock_key_sync &&
1905          !vnc_has_feature(vs, VNC_FEATURE_LED_STATE) &&
1906          keycode_is_keypad(vs->vd->kbd_layout, keycode)) {
1907          /* If the numlock state needs to change then simulate an additional
1908             keypress before sending this one.  This will happen if the user
1909             toggles numlock away from the VNC window.
1910          */
1911          if (keysym_is_numlock(vs->vd->kbd_layout, sym & 0xFFFF)) {
1912              if (!qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_NUMLOCK)) {
1913                  trace_vnc_key_sync_numlock(true);
1914                  press_key(vs, Q_KEY_CODE_NUM_LOCK);
1915              }
1916          } else {
1917              if (qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_NUMLOCK)) {
1918                  trace_vnc_key_sync_numlock(false);
1919                  press_key(vs, Q_KEY_CODE_NUM_LOCK);
1920              }
1921          }
1922      }
1923  
1924      if (down && vs->vd->lock_key_sync &&
1925          !vnc_has_feature(vs, VNC_FEATURE_LED_STATE) &&
1926          ((sym >= 'A' && sym <= 'Z') || (sym >= 'a' && sym <= 'z'))) {
1927          /* If the capslock state needs to change then simulate an additional
1928             keypress before sending this one.  This will happen if the user
1929             toggles capslock away from the VNC window.
1930          */
1931          int uppercase = !!(sym >= 'A' && sym <= 'Z');
1932          bool shift = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_SHIFT);
1933          bool capslock = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_CAPSLOCK);
1934          if (capslock) {
1935              if (uppercase == shift) {
1936                  trace_vnc_key_sync_capslock(false);
1937                  press_key(vs, Q_KEY_CODE_CAPS_LOCK);
1938              }
1939          } else {
1940              if (uppercase != shift) {
1941                  trace_vnc_key_sync_capslock(true);
1942                  press_key(vs, Q_KEY_CODE_CAPS_LOCK);
1943              }
1944          }
1945      }
1946  
1947      qkbd_state_key_event(vs->vd->kbd, qcode, down);
1948      if (!qemu_console_is_graphic(NULL)) {
1949          bool numlock = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_NUMLOCK);
1950          bool control = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_CTRL);
1951          /* QEMU console emulation */
1952          if (down) {
1953              switch (keycode) {
1954              case 0x2a:                          /* Left Shift */
1955              case 0x36:                          /* Right Shift */
1956              case 0x1d:                          /* Left CTRL */
1957              case 0x9d:                          /* Right CTRL */
1958              case 0x38:                          /* Left ALT */
1959              case 0xb8:                          /* Right ALT */
1960                  break;
1961              case 0xc8:
1962                  kbd_put_keysym(QEMU_KEY_UP);
1963                  break;
1964              case 0xd0:
1965                  kbd_put_keysym(QEMU_KEY_DOWN);
1966                  break;
1967              case 0xcb:
1968                  kbd_put_keysym(QEMU_KEY_LEFT);
1969                  break;
1970              case 0xcd:
1971                  kbd_put_keysym(QEMU_KEY_RIGHT);
1972                  break;
1973              case 0xd3:
1974                  kbd_put_keysym(QEMU_KEY_DELETE);
1975                  break;
1976              case 0xc7:
1977                  kbd_put_keysym(QEMU_KEY_HOME);
1978                  break;
1979              case 0xcf:
1980                  kbd_put_keysym(QEMU_KEY_END);
1981                  break;
1982              case 0xc9:
1983                  kbd_put_keysym(QEMU_KEY_PAGEUP);
1984                  break;
1985              case 0xd1:
1986                  kbd_put_keysym(QEMU_KEY_PAGEDOWN);
1987                  break;
1988  
1989              case 0x47:
1990                  kbd_put_keysym(numlock ? '7' : QEMU_KEY_HOME);
1991                  break;
1992              case 0x48:
1993                  kbd_put_keysym(numlock ? '8' : QEMU_KEY_UP);
1994                  break;
1995              case 0x49:
1996                  kbd_put_keysym(numlock ? '9' : QEMU_KEY_PAGEUP);
1997                  break;
1998              case 0x4b:
1999                  kbd_put_keysym(numlock ? '4' : QEMU_KEY_LEFT);
2000                  break;
2001              case 0x4c:
2002                  kbd_put_keysym('5');
2003                  break;
2004              case 0x4d:
2005                  kbd_put_keysym(numlock ? '6' : QEMU_KEY_RIGHT);
2006                  break;
2007              case 0x4f:
2008                  kbd_put_keysym(numlock ? '1' : QEMU_KEY_END);
2009                  break;
2010              case 0x50:
2011                  kbd_put_keysym(numlock ? '2' : QEMU_KEY_DOWN);
2012                  break;
2013              case 0x51:
2014                  kbd_put_keysym(numlock ? '3' : QEMU_KEY_PAGEDOWN);
2015                  break;
2016              case 0x52:
2017                  kbd_put_keysym('0');
2018                  break;
2019              case 0x53:
2020                  kbd_put_keysym(numlock ? '.' : QEMU_KEY_DELETE);
2021                  break;
2022  
2023              case 0xb5:
2024                  kbd_put_keysym('/');
2025                  break;
2026              case 0x37:
2027                  kbd_put_keysym('*');
2028                  break;
2029              case 0x4a:
2030                  kbd_put_keysym('-');
2031                  break;
2032              case 0x4e:
2033                  kbd_put_keysym('+');
2034                  break;
2035              case 0x9c:
2036                  kbd_put_keysym('\n');
2037                  break;
2038  
2039              default:
2040                  if (control) {
2041                      kbd_put_keysym(sym & 0x1f);
2042                  } else {
2043                      kbd_put_keysym(sym);
2044                  }
2045                  break;
2046              }
2047          }
2048      }
2049  }
2050  
2051  static const char *code2name(int keycode)
2052  {
2053      return QKeyCode_str(qemu_input_key_number_to_qcode(keycode));
2054  }
2055  
2056  static void key_event(VncState *vs, int down, uint32_t sym)
2057  {
2058      int keycode;
2059      int lsym = sym;
2060  
2061      if (lsym >= 'A' && lsym <= 'Z' && qemu_console_is_graphic(NULL)) {
2062          lsym = lsym - 'A' + 'a';
2063      }
2064  
2065      keycode = keysym2scancode(vs->vd->kbd_layout, lsym & 0xFFFF,
2066                                vs->vd->kbd, down) & SCANCODE_KEYMASK;
2067      trace_vnc_key_event_map(down, sym, keycode, code2name(keycode));
2068      do_key_event(vs, down, keycode, sym);
2069  }
2070  
2071  static void ext_key_event(VncState *vs, int down,
2072                            uint32_t sym, uint16_t keycode)
2073  {
2074      /* if the user specifies a keyboard layout, always use it */
2075      if (keyboard_layout) {
2076          key_event(vs, down, sym);
2077      } else {
2078          trace_vnc_key_event_ext(down, sym, keycode, code2name(keycode));
2079          do_key_event(vs, down, keycode, sym);
2080      }
2081  }
2082  
2083  static void framebuffer_update_request(VncState *vs, int incremental,
2084                                         int x, int y, int w, int h)
2085  {
2086      if (incremental) {
2087          if (vs->update != VNC_STATE_UPDATE_FORCE) {
2088              vs->update = VNC_STATE_UPDATE_INCREMENTAL;
2089          }
2090      } else {
2091          vs->update = VNC_STATE_UPDATE_FORCE;
2092          vnc_set_area_dirty(vs->dirty, vs->vd, x, y, w, h);
2093          if (vnc_has_feature(vs, VNC_FEATURE_RESIZE_EXT)) {
2094              vnc_desktop_resize_ext(vs, 0);
2095          }
2096      }
2097  }
2098  
2099  static void send_ext_key_event_ack(VncState *vs)
2100  {
2101      vnc_lock_output(vs);
2102      vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
2103      vnc_write_u8(vs, 0);
2104      vnc_write_u16(vs, 1);
2105      vnc_framebuffer_update(vs, 0, 0,
2106                             pixman_image_get_width(vs->vd->server),
2107                             pixman_image_get_height(vs->vd->server),
2108                             VNC_ENCODING_EXT_KEY_EVENT);
2109      vnc_unlock_output(vs);
2110      vnc_flush(vs);
2111  }
2112  
2113  static void send_ext_audio_ack(VncState *vs)
2114  {
2115      vnc_lock_output(vs);
2116      vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
2117      vnc_write_u8(vs, 0);
2118      vnc_write_u16(vs, 1);
2119      vnc_framebuffer_update(vs, 0, 0,
2120                             pixman_image_get_width(vs->vd->server),
2121                             pixman_image_get_height(vs->vd->server),
2122                             VNC_ENCODING_AUDIO);
2123      vnc_unlock_output(vs);
2124      vnc_flush(vs);
2125  }
2126  
2127  static void send_xvp_message(VncState *vs, int code)
2128  {
2129      vnc_lock_output(vs);
2130      vnc_write_u8(vs, VNC_MSG_SERVER_XVP);
2131      vnc_write_u8(vs, 0); /* pad */
2132      vnc_write_u8(vs, 1); /* version */
2133      vnc_write_u8(vs, code);
2134      vnc_unlock_output(vs);
2135      vnc_flush(vs);
2136  }
2137  
2138  static void set_encodings(VncState *vs, int32_t *encodings, size_t n_encodings)
2139  {
2140      int i;
2141      unsigned int enc = 0;
2142  
2143      vs->features = 0;
2144      vs->vnc_encoding = 0;
2145      vs->tight->compression = 9;
2146      vs->tight->quality = -1; /* Lossless by default */
2147      vs->absolute = -1;
2148  
2149      /*
2150       * Start from the end because the encodings are sent in order of preference.
2151       * This way the preferred encoding (first encoding defined in the array)
2152       * will be set at the end of the loop.
2153       */
2154      for (i = n_encodings - 1; i >= 0; i--) {
2155          enc = encodings[i];
2156          switch (enc) {
2157          case VNC_ENCODING_RAW:
2158              vs->vnc_encoding = enc;
2159              break;
2160          case VNC_ENCODING_HEXTILE:
2161              vs->features |= VNC_FEATURE_HEXTILE_MASK;
2162              vs->vnc_encoding = enc;
2163              break;
2164          case VNC_ENCODING_TIGHT:
2165              vs->features |= VNC_FEATURE_TIGHT_MASK;
2166              vs->vnc_encoding = enc;
2167              break;
2168  #ifdef CONFIG_VNC_PNG
2169          case VNC_ENCODING_TIGHT_PNG:
2170              vs->features |= VNC_FEATURE_TIGHT_PNG_MASK;
2171              vs->vnc_encoding = enc;
2172              break;
2173  #endif
2174          case VNC_ENCODING_ZLIB:
2175              /*
2176               * VNC_ENCODING_ZRLE compresses better than VNC_ENCODING_ZLIB.
2177               * So prioritize ZRLE, even if the client hints that it prefers
2178               * ZLIB.
2179               */
2180              if ((vs->features & VNC_FEATURE_ZRLE_MASK) == 0) {
2181                  vs->features |= VNC_FEATURE_ZLIB_MASK;
2182                  vs->vnc_encoding = enc;
2183              }
2184              break;
2185          case VNC_ENCODING_ZRLE:
2186              vs->features |= VNC_FEATURE_ZRLE_MASK;
2187              vs->vnc_encoding = enc;
2188              break;
2189          case VNC_ENCODING_ZYWRLE:
2190              vs->features |= VNC_FEATURE_ZYWRLE_MASK;
2191              vs->vnc_encoding = enc;
2192              break;
2193          case VNC_ENCODING_DESKTOPRESIZE:
2194              vs->features |= VNC_FEATURE_RESIZE_MASK;
2195              break;
2196          case VNC_ENCODING_DESKTOP_RESIZE_EXT:
2197              vs->features |= VNC_FEATURE_RESIZE_EXT_MASK;
2198              break;
2199          case VNC_ENCODING_POINTER_TYPE_CHANGE:
2200              vs->features |= VNC_FEATURE_POINTER_TYPE_CHANGE_MASK;
2201              break;
2202          case VNC_ENCODING_RICH_CURSOR:
2203              vs->features |= VNC_FEATURE_RICH_CURSOR_MASK;
2204              break;
2205          case VNC_ENCODING_ALPHA_CURSOR:
2206              vs->features |= VNC_FEATURE_ALPHA_CURSOR_MASK;
2207              break;
2208          case VNC_ENCODING_EXT_KEY_EVENT:
2209              send_ext_key_event_ack(vs);
2210              break;
2211          case VNC_ENCODING_AUDIO:
2212              send_ext_audio_ack(vs);
2213              break;
2214          case VNC_ENCODING_WMVi:
2215              vs->features |= VNC_FEATURE_WMVI_MASK;
2216              break;
2217          case VNC_ENCODING_LED_STATE:
2218              vs->features |= VNC_FEATURE_LED_STATE_MASK;
2219              break;
2220          case VNC_ENCODING_XVP:
2221              if (vs->vd->power_control) {
2222                  vs->features |= VNC_FEATURE_XVP;
2223                  send_xvp_message(vs, VNC_XVP_CODE_INIT);
2224              }
2225              break;
2226          case VNC_ENCODING_CLIPBOARD_EXT:
2227              vs->features |= VNC_FEATURE_CLIPBOARD_EXT_MASK;
2228              vnc_server_cut_text_caps(vs);
2229              break;
2230          case VNC_ENCODING_COMPRESSLEVEL0 ... VNC_ENCODING_COMPRESSLEVEL0 + 9:
2231              vs->tight->compression = (enc & 0x0F);
2232              break;
2233          case VNC_ENCODING_QUALITYLEVEL0 ... VNC_ENCODING_QUALITYLEVEL0 + 9:
2234              if (vs->vd->lossy) {
2235                  vs->tight->quality = (enc & 0x0F);
2236              }
2237              break;
2238          default:
2239              VNC_DEBUG("Unknown encoding: %d (0x%.8x): %d\n", i, enc, enc);
2240              break;
2241          }
2242      }
2243      vnc_desktop_resize(vs);
2244      check_pointer_type_change(&vs->mouse_mode_notifier, NULL);
2245      vnc_led_state_change(vs);
2246      vnc_cursor_define(vs);
2247  }
2248  
2249  static void set_pixel_conversion(VncState *vs)
2250  {
2251      pixman_format_code_t fmt = qemu_pixman_get_format(&vs->client_pf);
2252  
2253      if (fmt == VNC_SERVER_FB_FORMAT) {
2254          vs->write_pixels = vnc_write_pixels_copy;
2255          vnc_hextile_set_pixel_conversion(vs, 0);
2256      } else {
2257          vs->write_pixels = vnc_write_pixels_generic;
2258          vnc_hextile_set_pixel_conversion(vs, 1);
2259      }
2260  }
2261  
2262  static void send_color_map(VncState *vs)
2263  {
2264      int i;
2265  
2266      vnc_lock_output(vs);
2267      vnc_write_u8(vs, VNC_MSG_SERVER_SET_COLOUR_MAP_ENTRIES);
2268      vnc_write_u8(vs,  0);    /* padding     */
2269      vnc_write_u16(vs, 0);    /* first color */
2270      vnc_write_u16(vs, 256);  /* # of colors */
2271  
2272      for (i = 0; i < 256; i++) {
2273          PixelFormat *pf = &vs->client_pf;
2274  
2275          vnc_write_u16(vs, (((i >> pf->rshift) & pf->rmax) << (16 - pf->rbits)));
2276          vnc_write_u16(vs, (((i >> pf->gshift) & pf->gmax) << (16 - pf->gbits)));
2277          vnc_write_u16(vs, (((i >> pf->bshift) & pf->bmax) << (16 - pf->bbits)));
2278      }
2279      vnc_unlock_output(vs);
2280  }
2281  
2282  static void set_pixel_format(VncState *vs, int bits_per_pixel,
2283                               int big_endian_flag, int true_color_flag,
2284                               int red_max, int green_max, int blue_max,
2285                               int red_shift, int green_shift, int blue_shift)
2286  {
2287      if (!true_color_flag) {
2288          /* Expose a reasonable default 256 color map */
2289          bits_per_pixel = 8;
2290          red_max = 7;
2291          green_max = 7;
2292          blue_max = 3;
2293          red_shift = 0;
2294          green_shift = 3;
2295          blue_shift = 6;
2296      }
2297  
2298      switch (bits_per_pixel) {
2299      case 8:
2300      case 16:
2301      case 32:
2302          break;
2303      default:
2304          vnc_client_error(vs);
2305          return;
2306      }
2307  
2308      vs->client_pf.rmax = red_max ? red_max : 0xFF;
2309      vs->client_pf.rbits = ctpopl(red_max);
2310      vs->client_pf.rshift = red_shift;
2311      vs->client_pf.rmask = red_max << red_shift;
2312      vs->client_pf.gmax = green_max ? green_max : 0xFF;
2313      vs->client_pf.gbits = ctpopl(green_max);
2314      vs->client_pf.gshift = green_shift;
2315      vs->client_pf.gmask = green_max << green_shift;
2316      vs->client_pf.bmax = blue_max ? blue_max : 0xFF;
2317      vs->client_pf.bbits = ctpopl(blue_max);
2318      vs->client_pf.bshift = blue_shift;
2319      vs->client_pf.bmask = blue_max << blue_shift;
2320      vs->client_pf.bits_per_pixel = bits_per_pixel;
2321      vs->client_pf.bytes_per_pixel = bits_per_pixel / 8;
2322      vs->client_pf.depth = bits_per_pixel == 32 ? 24 : bits_per_pixel;
2323      vs->client_be = big_endian_flag;
2324  
2325      if (!true_color_flag) {
2326          send_color_map(vs);
2327      }
2328  
2329      set_pixel_conversion(vs);
2330  
2331      graphic_hw_invalidate(vs->vd->dcl.con);
2332      graphic_hw_update(vs->vd->dcl.con);
2333  }
2334  
2335  static void pixel_format_message (VncState *vs) {
2336      char pad[3] = { 0, 0, 0 };
2337  
2338      vs->client_pf = qemu_default_pixelformat(32);
2339  
2340      vnc_write_u8(vs, vs->client_pf.bits_per_pixel); /* bits-per-pixel */
2341      vnc_write_u8(vs, vs->client_pf.depth); /* depth */
2342  
2343  #ifdef HOST_WORDS_BIGENDIAN
2344      vnc_write_u8(vs, 1);             /* big-endian-flag */
2345  #else
2346      vnc_write_u8(vs, 0);             /* big-endian-flag */
2347  #endif
2348      vnc_write_u8(vs, 1);             /* true-color-flag */
2349      vnc_write_u16(vs, vs->client_pf.rmax);     /* red-max */
2350      vnc_write_u16(vs, vs->client_pf.gmax);     /* green-max */
2351      vnc_write_u16(vs, vs->client_pf.bmax);     /* blue-max */
2352      vnc_write_u8(vs, vs->client_pf.rshift);    /* red-shift */
2353      vnc_write_u8(vs, vs->client_pf.gshift);    /* green-shift */
2354      vnc_write_u8(vs, vs->client_pf.bshift);    /* blue-shift */
2355      vnc_write(vs, pad, 3);           /* padding */
2356  
2357      vnc_hextile_set_pixel_conversion(vs, 0);
2358      vs->write_pixels = vnc_write_pixels_copy;
2359  }
2360  
2361  static void vnc_colordepth(VncState *vs)
2362  {
2363      if (vnc_has_feature(vs, VNC_FEATURE_WMVI)) {
2364          /* Sending a WMVi message to notify the client*/
2365          vnc_lock_output(vs);
2366          vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
2367          vnc_write_u8(vs, 0);
2368          vnc_write_u16(vs, 1); /* number of rects */
2369          vnc_framebuffer_update(vs, 0, 0,
2370                                 vs->client_width,
2371                                 vs->client_height,
2372                                 VNC_ENCODING_WMVi);
2373          pixel_format_message(vs);
2374          vnc_unlock_output(vs);
2375          vnc_flush(vs);
2376      } else {
2377          set_pixel_conversion(vs);
2378      }
2379  }
2380  
2381  static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len)
2382  {
2383      int i;
2384      uint16_t limit;
2385      uint32_t freq;
2386      VncDisplay *vd = vs->vd;
2387  
2388      if (data[0] > 3) {
2389          update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
2390      }
2391  
2392      switch (data[0]) {
2393      case VNC_MSG_CLIENT_SET_PIXEL_FORMAT:
2394          if (len == 1)
2395              return 20;
2396  
2397          set_pixel_format(vs, read_u8(data, 4),
2398                           read_u8(data, 6), read_u8(data, 7),
2399                           read_u16(data, 8), read_u16(data, 10),
2400                           read_u16(data, 12), read_u8(data, 14),
2401                           read_u8(data, 15), read_u8(data, 16));
2402          break;
2403      case VNC_MSG_CLIENT_SET_ENCODINGS:
2404          if (len == 1)
2405              return 4;
2406  
2407          if (len == 4) {
2408              limit = read_u16(data, 2);
2409              if (limit > 0)
2410                  return 4 + (limit * 4);
2411          } else
2412              limit = read_u16(data, 2);
2413  
2414          for (i = 0; i < limit; i++) {
2415              int32_t val = read_s32(data, 4 + (i * 4));
2416              memcpy(data + 4 + (i * 4), &val, sizeof(val));
2417          }
2418  
2419          set_encodings(vs, (int32_t *)(data + 4), limit);
2420          break;
2421      case VNC_MSG_CLIENT_FRAMEBUFFER_UPDATE_REQUEST:
2422          if (len == 1)
2423              return 10;
2424  
2425          framebuffer_update_request(vs,
2426                                     read_u8(data, 1), read_u16(data, 2), read_u16(data, 4),
2427                                     read_u16(data, 6), read_u16(data, 8));
2428          break;
2429      case VNC_MSG_CLIENT_KEY_EVENT:
2430          if (len == 1)
2431              return 8;
2432  
2433          key_event(vs, read_u8(data, 1), read_u32(data, 4));
2434          break;
2435      case VNC_MSG_CLIENT_POINTER_EVENT:
2436          if (len == 1)
2437              return 6;
2438  
2439          pointer_event(vs, read_u8(data, 1), read_u16(data, 2), read_u16(data, 4));
2440          break;
2441      case VNC_MSG_CLIENT_CUT_TEXT:
2442          if (len == 1) {
2443              return 8;
2444          }
2445          if (len == 8) {
2446              uint32_t dlen = abs(read_s32(data, 4));
2447              if (dlen > (1 << 20)) {
2448                  error_report("vnc: client_cut_text msg payload has %u bytes"
2449                               " which exceeds our limit of 1MB.", dlen);
2450                  vnc_client_error(vs);
2451                  break;
2452              }
2453              if (dlen > 0) {
2454                  return 8 + dlen;
2455              }
2456          }
2457  
2458          if (read_s32(data, 4) < 0) {
2459              vnc_client_cut_text_ext(vs, abs(read_s32(data, 4)),
2460                                      read_u32(data, 8), data + 12);
2461              break;
2462          }
2463          vnc_client_cut_text(vs, read_u32(data, 4), data + 8);
2464          break;
2465      case VNC_MSG_CLIENT_XVP:
2466          if (!(vs->features & VNC_FEATURE_XVP)) {
2467              error_report("vnc: xvp client message while disabled");
2468              vnc_client_error(vs);
2469              break;
2470          }
2471          if (len == 1) {
2472              return 4;
2473          }
2474          if (len == 4) {
2475              uint8_t version = read_u8(data, 2);
2476              uint8_t action = read_u8(data, 3);
2477  
2478              if (version != 1) {
2479                  error_report("vnc: xvp client message version %d != 1",
2480                               version);
2481                  vnc_client_error(vs);
2482                  break;
2483              }
2484  
2485              switch (action) {
2486              case VNC_XVP_ACTION_SHUTDOWN:
2487                  qemu_system_powerdown_request();
2488                  break;
2489              case VNC_XVP_ACTION_REBOOT:
2490                  send_xvp_message(vs, VNC_XVP_CODE_FAIL);
2491                  break;
2492              case VNC_XVP_ACTION_RESET:
2493                  qemu_system_reset_request(SHUTDOWN_CAUSE_HOST_QMP_SYSTEM_RESET);
2494                  break;
2495              default:
2496                  send_xvp_message(vs, VNC_XVP_CODE_FAIL);
2497                  break;
2498              }
2499          }
2500          break;
2501      case VNC_MSG_CLIENT_QEMU:
2502          if (len == 1)
2503              return 2;
2504  
2505          switch (read_u8(data, 1)) {
2506          case VNC_MSG_CLIENT_QEMU_EXT_KEY_EVENT:
2507              if (len == 2)
2508                  return 12;
2509  
2510              ext_key_event(vs, read_u16(data, 2),
2511                            read_u32(data, 4), read_u32(data, 8));
2512              break;
2513          case VNC_MSG_CLIENT_QEMU_AUDIO:
2514              if (len == 2)
2515                  return 4;
2516  
2517              switch (read_u16 (data, 2)) {
2518              case VNC_MSG_CLIENT_QEMU_AUDIO_ENABLE:
2519                  trace_vnc_msg_client_audio_enable(vs, vs->ioc);
2520                  audio_add(vs);
2521                  break;
2522              case VNC_MSG_CLIENT_QEMU_AUDIO_DISABLE:
2523                  trace_vnc_msg_client_audio_disable(vs, vs->ioc);
2524                  audio_del(vs);
2525                  break;
2526              case VNC_MSG_CLIENT_QEMU_AUDIO_SET_FORMAT:
2527                  if (len == 4)
2528                      return 10;
2529                  switch (read_u8(data, 4)) {
2530                  case 0: vs->as.fmt = AUDIO_FORMAT_U8; break;
2531                  case 1: vs->as.fmt = AUDIO_FORMAT_S8; break;
2532                  case 2: vs->as.fmt = AUDIO_FORMAT_U16; break;
2533                  case 3: vs->as.fmt = AUDIO_FORMAT_S16; break;
2534                  case 4: vs->as.fmt = AUDIO_FORMAT_U32; break;
2535                  case 5: vs->as.fmt = AUDIO_FORMAT_S32; break;
2536                  default:
2537                      VNC_DEBUG("Invalid audio format %d\n", read_u8(data, 4));
2538                      vnc_client_error(vs);
2539                      break;
2540                  }
2541                  vs->as.nchannels = read_u8(data, 5);
2542                  if (vs->as.nchannels != 1 && vs->as.nchannels != 2) {
2543                      VNC_DEBUG("Invalid audio channel count %d\n",
2544                                read_u8(data, 5));
2545                      vnc_client_error(vs);
2546                      break;
2547                  }
2548                  freq = read_u32(data, 6);
2549                  /* No official limit for protocol, but 48khz is a sensible
2550                   * upper bound for trustworthy clients, and this limit
2551                   * protects calculations involving 'vs->as.freq' later.
2552                   */
2553                  if (freq > 48000) {
2554                      VNC_DEBUG("Invalid audio frequency %u > 48000", freq);
2555                      vnc_client_error(vs);
2556                      break;
2557                  }
2558                  vs->as.freq = freq;
2559                  trace_vnc_msg_client_audio_format(
2560                      vs, vs->ioc, vs->as.fmt, vs->as.nchannels, vs->as.freq);
2561                  break;
2562              default:
2563                  VNC_DEBUG("Invalid audio message %d\n", read_u8(data, 4));
2564                  vnc_client_error(vs);
2565                  break;
2566              }
2567              break;
2568  
2569          default:
2570              VNC_DEBUG("Msg: %d\n", read_u16(data, 0));
2571              vnc_client_error(vs);
2572              break;
2573          }
2574          break;
2575      case VNC_MSG_CLIENT_SET_DESKTOP_SIZE:
2576      {
2577          size_t size;
2578          uint8_t screens;
2579          int w, h;
2580  
2581          if (len < 8) {
2582              return 8;
2583          }
2584  
2585          screens = read_u8(data, 6);
2586          size    = 8 + screens * 16;
2587          if (len < size) {
2588              return size;
2589          }
2590          w = read_u16(data, 2);
2591          h = read_u16(data, 4);
2592  
2593          trace_vnc_msg_client_set_desktop_size(vs, vs->ioc, w, h, screens);
2594          if (dpy_ui_info_supported(vs->vd->dcl.con)) {
2595              QemuUIInfo info;
2596              memset(&info, 0, sizeof(info));
2597              info.width = w;
2598              info.height = h;
2599              dpy_set_ui_info(vs->vd->dcl.con, &info);
2600              vnc_desktop_resize_ext(vs, 4 /* Request forwarded */);
2601          } else {
2602              vnc_desktop_resize_ext(vs, 3 /* Invalid screen layout */);
2603          }
2604  
2605          break;
2606      }
2607      default:
2608          VNC_DEBUG("Msg: %d\n", data[0]);
2609          vnc_client_error(vs);
2610          break;
2611      }
2612  
2613      vnc_update_throttle_offset(vs);
2614      vnc_read_when(vs, protocol_client_msg, 1);
2615      return 0;
2616  }
2617  
2618  static int protocol_client_init(VncState *vs, uint8_t *data, size_t len)
2619  {
2620      char buf[1024];
2621      VncShareMode mode;
2622      int size;
2623  
2624      mode = data[0] ? VNC_SHARE_MODE_SHARED : VNC_SHARE_MODE_EXCLUSIVE;
2625      switch (vs->vd->share_policy) {
2626      case VNC_SHARE_POLICY_IGNORE:
2627          /*
2628           * Ignore the shared flag.  Nothing to do here.
2629           *
2630           * Doesn't conform to the rfb spec but is traditional qemu
2631           * behavior, thus left here as option for compatibility
2632           * reasons.
2633           */
2634          break;
2635      case VNC_SHARE_POLICY_ALLOW_EXCLUSIVE:
2636          /*
2637           * Policy: Allow clients ask for exclusive access.
2638           *
2639           * Implementation: When a client asks for exclusive access,
2640           * disconnect all others. Shared connects are allowed as long
2641           * as no exclusive connection exists.
2642           *
2643           * This is how the rfb spec suggests to handle the shared flag.
2644           */
2645          if (mode == VNC_SHARE_MODE_EXCLUSIVE) {
2646              VncState *client;
2647              QTAILQ_FOREACH(client, &vs->vd->clients, next) {
2648                  if (vs == client) {
2649                      continue;
2650                  }
2651                  if (client->share_mode != VNC_SHARE_MODE_EXCLUSIVE &&
2652                      client->share_mode != VNC_SHARE_MODE_SHARED) {
2653                      continue;
2654                  }
2655                  vnc_disconnect_start(client);
2656              }
2657          }
2658          if (mode == VNC_SHARE_MODE_SHARED) {
2659              if (vs->vd->num_exclusive > 0) {
2660                  vnc_disconnect_start(vs);
2661                  return 0;
2662              }
2663          }
2664          break;
2665      case VNC_SHARE_POLICY_FORCE_SHARED:
2666          /*
2667           * Policy: Shared connects only.
2668           * Implementation: Disallow clients asking for exclusive access.
2669           *
2670           * Useful for shared desktop sessions where you don't want
2671           * someone forgetting to say -shared when running the vnc
2672           * client disconnect everybody else.
2673           */
2674          if (mode == VNC_SHARE_MODE_EXCLUSIVE) {
2675              vnc_disconnect_start(vs);
2676              return 0;
2677          }
2678          break;
2679      }
2680      vnc_set_share_mode(vs, mode);
2681  
2682      if (vs->vd->num_shared > vs->vd->connections_limit) {
2683          vnc_disconnect_start(vs);
2684          return 0;
2685      }
2686  
2687      assert(pixman_image_get_width(vs->vd->server) < 65536 &&
2688             pixman_image_get_width(vs->vd->server) >= 0);
2689      assert(pixman_image_get_height(vs->vd->server) < 65536 &&
2690             pixman_image_get_height(vs->vd->server) >= 0);
2691      vs->client_width = pixman_image_get_width(vs->vd->server);
2692      vs->client_height = pixman_image_get_height(vs->vd->server);
2693      vnc_write_u16(vs, vs->client_width);
2694      vnc_write_u16(vs, vs->client_height);
2695  
2696      pixel_format_message(vs);
2697  
2698      if (qemu_name) {
2699          size = snprintf(buf, sizeof(buf), "QEMU (%s)", qemu_name);
2700          if (size > sizeof(buf)) {
2701              size = sizeof(buf);
2702          }
2703      } else {
2704          size = snprintf(buf, sizeof(buf), "QEMU");
2705      }
2706  
2707      vnc_write_u32(vs, size);
2708      vnc_write(vs, buf, size);
2709      vnc_flush(vs);
2710  
2711      vnc_client_cache_auth(vs);
2712      vnc_qmp_event(vs, QAPI_EVENT_VNC_INITIALIZED);
2713  
2714      vnc_read_when(vs, protocol_client_msg, 1);
2715  
2716      return 0;
2717  }
2718  
2719  void start_client_init(VncState *vs)
2720  {
2721      vnc_read_when(vs, protocol_client_init, 1);
2722  }
2723  
2724  static void authentication_failed(VncState *vs)
2725  {
2726      vnc_write_u32(vs, 1); /* Reject auth */
2727      if (vs->minor >= 8) {
2728          static const char err[] = "Authentication failed";
2729          vnc_write_u32(vs, sizeof(err));
2730          vnc_write(vs, err, sizeof(err));
2731      }
2732      vnc_flush(vs);
2733      vnc_client_error(vs);
2734  }
2735  
2736  static void
2737  vnc_munge_des_rfb_key(unsigned char *key, size_t nkey)
2738  {
2739      size_t i;
2740      for (i = 0; i < nkey; i++) {
2741          uint8_t r = key[i];
2742          r = (r & 0xf0) >> 4 | (r & 0x0f) << 4;
2743          r = (r & 0xcc) >> 2 | (r & 0x33) << 2;
2744          r = (r & 0xaa) >> 1 | (r & 0x55) << 1;
2745          key[i] = r;
2746      }
2747  }
2748  
2749  static int protocol_client_auth_vnc(VncState *vs, uint8_t *data, size_t len)
2750  {
2751      unsigned char response[VNC_AUTH_CHALLENGE_SIZE];
2752      size_t i, pwlen;
2753      unsigned char key[8];
2754      time_t now = time(NULL);
2755      QCryptoCipher *cipher = NULL;
2756      Error *err = NULL;
2757  
2758      if (!vs->vd->password) {
2759          trace_vnc_auth_fail(vs, vs->auth, "password is not set", "");
2760          goto reject;
2761      }
2762      if (vs->vd->expires < now) {
2763          trace_vnc_auth_fail(vs, vs->auth, "password is expired", "");
2764          goto reject;
2765      }
2766  
2767      memcpy(response, vs->challenge, VNC_AUTH_CHALLENGE_SIZE);
2768  
2769      /* Calculate the expected challenge response */
2770      pwlen = strlen(vs->vd->password);
2771      for (i=0; i<sizeof(key); i++)
2772          key[i] = i<pwlen ? vs->vd->password[i] : 0;
2773      vnc_munge_des_rfb_key(key, sizeof(key));
2774  
2775      cipher = qcrypto_cipher_new(
2776          QCRYPTO_CIPHER_ALG_DES,
2777          QCRYPTO_CIPHER_MODE_ECB,
2778          key, G_N_ELEMENTS(key),
2779          &err);
2780      if (!cipher) {
2781          trace_vnc_auth_fail(vs, vs->auth, "cannot create cipher",
2782                              error_get_pretty(err));
2783          error_free(err);
2784          goto reject;
2785      }
2786  
2787      if (qcrypto_cipher_encrypt(cipher,
2788                                 vs->challenge,
2789                                 response,
2790                                 VNC_AUTH_CHALLENGE_SIZE,
2791                                 &err) < 0) {
2792          trace_vnc_auth_fail(vs, vs->auth, "cannot encrypt challenge response",
2793                              error_get_pretty(err));
2794          error_free(err);
2795          goto reject;
2796      }
2797  
2798      /* Compare expected vs actual challenge response */
2799      if (memcmp(response, data, VNC_AUTH_CHALLENGE_SIZE) != 0) {
2800          trace_vnc_auth_fail(vs, vs->auth, "mis-matched challenge response", "");
2801          goto reject;
2802      } else {
2803          trace_vnc_auth_pass(vs, vs->auth);
2804          vnc_write_u32(vs, 0); /* Accept auth */
2805          vnc_flush(vs);
2806  
2807          start_client_init(vs);
2808      }
2809  
2810      qcrypto_cipher_free(cipher);
2811      return 0;
2812  
2813  reject:
2814      authentication_failed(vs);
2815      qcrypto_cipher_free(cipher);
2816      return 0;
2817  }
2818  
2819  void start_auth_vnc(VncState *vs)
2820  {
2821      Error *err = NULL;
2822  
2823      if (qcrypto_random_bytes(vs->challenge, sizeof(vs->challenge), &err)) {
2824          trace_vnc_auth_fail(vs, vs->auth, "cannot get random bytes",
2825                              error_get_pretty(err));
2826          error_free(err);
2827          authentication_failed(vs);
2828          return;
2829      }
2830  
2831      /* Send client a 'random' challenge */
2832      vnc_write(vs, vs->challenge, sizeof(vs->challenge));
2833      vnc_flush(vs);
2834  
2835      vnc_read_when(vs, protocol_client_auth_vnc, sizeof(vs->challenge));
2836  }
2837  
2838  
2839  static int protocol_client_auth(VncState *vs, uint8_t *data, size_t len)
2840  {
2841      /* We only advertise 1 auth scheme at a time, so client
2842       * must pick the one we sent. Verify this */
2843      if (data[0] != vs->auth) { /* Reject auth */
2844         trace_vnc_auth_reject(vs, vs->auth, (int)data[0]);
2845         authentication_failed(vs);
2846      } else { /* Accept requested auth */
2847         trace_vnc_auth_start(vs, vs->auth);
2848         switch (vs->auth) {
2849         case VNC_AUTH_NONE:
2850             if (vs->minor >= 8) {
2851                 vnc_write_u32(vs, 0); /* Accept auth completion */
2852                 vnc_flush(vs);
2853             }
2854             trace_vnc_auth_pass(vs, vs->auth);
2855             start_client_init(vs);
2856             break;
2857  
2858         case VNC_AUTH_VNC:
2859             start_auth_vnc(vs);
2860             break;
2861  
2862         case VNC_AUTH_VENCRYPT:
2863             start_auth_vencrypt(vs);
2864             break;
2865  
2866  #ifdef CONFIG_VNC_SASL
2867         case VNC_AUTH_SASL:
2868             start_auth_sasl(vs);
2869             break;
2870  #endif /* CONFIG_VNC_SASL */
2871  
2872         default: /* Should not be possible, but just in case */
2873             trace_vnc_auth_fail(vs, vs->auth, "Unhandled auth method", "");
2874             authentication_failed(vs);
2875         }
2876      }
2877      return 0;
2878  }
2879  
2880  static int protocol_version(VncState *vs, uint8_t *version, size_t len)
2881  {
2882      char local[13];
2883  
2884      memcpy(local, version, 12);
2885      local[12] = 0;
2886  
2887      if (sscanf(local, "RFB %03d.%03d\n", &vs->major, &vs->minor) != 2) {
2888          VNC_DEBUG("Malformed protocol version %s\n", local);
2889          vnc_client_error(vs);
2890          return 0;
2891      }
2892      VNC_DEBUG("Client request protocol version %d.%d\n", vs->major, vs->minor);
2893      if (vs->major != 3 ||
2894          (vs->minor != 3 &&
2895           vs->minor != 4 &&
2896           vs->minor != 5 &&
2897           vs->minor != 7 &&
2898           vs->minor != 8)) {
2899          VNC_DEBUG("Unsupported client version\n");
2900          vnc_write_u32(vs, VNC_AUTH_INVALID);
2901          vnc_flush(vs);
2902          vnc_client_error(vs);
2903          return 0;
2904      }
2905      /* Some broken clients report v3.4 or v3.5, which spec requires to be treated
2906       * as equivalent to v3.3 by servers
2907       */
2908      if (vs->minor == 4 || vs->minor == 5)
2909          vs->minor = 3;
2910  
2911      if (vs->minor == 3) {
2912          trace_vnc_auth_start(vs, vs->auth);
2913          if (vs->auth == VNC_AUTH_NONE) {
2914              vnc_write_u32(vs, vs->auth);
2915              vnc_flush(vs);
2916              trace_vnc_auth_pass(vs, vs->auth);
2917              start_client_init(vs);
2918         } else if (vs->auth == VNC_AUTH_VNC) {
2919              VNC_DEBUG("Tell client VNC auth\n");
2920              vnc_write_u32(vs, vs->auth);
2921              vnc_flush(vs);
2922              start_auth_vnc(vs);
2923         } else {
2924              trace_vnc_auth_fail(vs, vs->auth,
2925                                  "Unsupported auth method for v3.3", "");
2926              vnc_write_u32(vs, VNC_AUTH_INVALID);
2927              vnc_flush(vs);
2928              vnc_client_error(vs);
2929         }
2930      } else {
2931          vnc_write_u8(vs, 1); /* num auth */
2932          vnc_write_u8(vs, vs->auth);
2933          vnc_read_when(vs, protocol_client_auth, 1);
2934          vnc_flush(vs);
2935      }
2936  
2937      return 0;
2938  }
2939  
2940  static VncRectStat *vnc_stat_rect(VncDisplay *vd, int x, int y)
2941  {
2942      struct VncSurface *vs = &vd->guest;
2943  
2944      return &vs->stats[y / VNC_STAT_RECT][x / VNC_STAT_RECT];
2945  }
2946  
2947  void vnc_sent_lossy_rect(VncState *vs, int x, int y, int w, int h)
2948  {
2949      int i, j;
2950  
2951      w = (x + w) / VNC_STAT_RECT;
2952      h = (y + h) / VNC_STAT_RECT;
2953      x /= VNC_STAT_RECT;
2954      y /= VNC_STAT_RECT;
2955  
2956      for (j = y; j <= h; j++) {
2957          for (i = x; i <= w; i++) {
2958              vs->lossy_rect[j][i] = 1;
2959          }
2960      }
2961  }
2962  
2963  static int vnc_refresh_lossy_rect(VncDisplay *vd, int x, int y)
2964  {
2965      VncState *vs;
2966      int sty = y / VNC_STAT_RECT;
2967      int stx = x / VNC_STAT_RECT;
2968      int has_dirty = 0;
2969  
2970      y = QEMU_ALIGN_DOWN(y, VNC_STAT_RECT);
2971      x = QEMU_ALIGN_DOWN(x, VNC_STAT_RECT);
2972  
2973      QTAILQ_FOREACH(vs, &vd->clients, next) {
2974          int j;
2975  
2976          /* kernel send buffers are full -> refresh later */
2977          if (vs->output.offset) {
2978              continue;
2979          }
2980  
2981          if (!vs->lossy_rect[sty][stx]) {
2982              continue;
2983          }
2984  
2985          vs->lossy_rect[sty][stx] = 0;
2986          for (j = 0; j < VNC_STAT_RECT; ++j) {
2987              bitmap_set(vs->dirty[y + j],
2988                         x / VNC_DIRTY_PIXELS_PER_BIT,
2989                         VNC_STAT_RECT / VNC_DIRTY_PIXELS_PER_BIT);
2990          }
2991          has_dirty++;
2992      }
2993  
2994      return has_dirty;
2995  }
2996  
2997  static int vnc_update_stats(VncDisplay *vd,  struct timeval * tv)
2998  {
2999      int width = MIN(pixman_image_get_width(vd->guest.fb),
3000                      pixman_image_get_width(vd->server));
3001      int height = MIN(pixman_image_get_height(vd->guest.fb),
3002                       pixman_image_get_height(vd->server));
3003      int x, y;
3004      struct timeval res;
3005      int has_dirty = 0;
3006  
3007      for (y = 0; y < height; y += VNC_STAT_RECT) {
3008          for (x = 0; x < width; x += VNC_STAT_RECT) {
3009              VncRectStat *rect = vnc_stat_rect(vd, x, y);
3010  
3011              rect->updated = false;
3012          }
3013      }
3014  
3015      qemu_timersub(tv, &VNC_REFRESH_STATS, &res);
3016  
3017      if (timercmp(&vd->guest.last_freq_check, &res, >)) {
3018          return has_dirty;
3019      }
3020      vd->guest.last_freq_check = *tv;
3021  
3022      for (y = 0; y < height; y += VNC_STAT_RECT) {
3023          for (x = 0; x < width; x += VNC_STAT_RECT) {
3024              VncRectStat *rect= vnc_stat_rect(vd, x, y);
3025              int count = ARRAY_SIZE(rect->times);
3026              struct timeval min, max;
3027  
3028              if (!timerisset(&rect->times[count - 1])) {
3029                  continue ;
3030              }
3031  
3032              max = rect->times[(rect->idx + count - 1) % count];
3033              qemu_timersub(tv, &max, &res);
3034  
3035              if (timercmp(&res, &VNC_REFRESH_LOSSY, >)) {
3036                  rect->freq = 0;
3037                  has_dirty += vnc_refresh_lossy_rect(vd, x, y);
3038                  memset(rect->times, 0, sizeof (rect->times));
3039                  continue ;
3040              }
3041  
3042              min = rect->times[rect->idx];
3043              max = rect->times[(rect->idx + count - 1) % count];
3044              qemu_timersub(&max, &min, &res);
3045  
3046              rect->freq = res.tv_sec + res.tv_usec / 1000000.;
3047              rect->freq /= count;
3048              rect->freq = 1. / rect->freq;
3049          }
3050      }
3051      return has_dirty;
3052  }
3053  
3054  double vnc_update_freq(VncState *vs, int x, int y, int w, int h)
3055  {
3056      int i, j;
3057      double total = 0;
3058      int num = 0;
3059  
3060      x =  QEMU_ALIGN_DOWN(x, VNC_STAT_RECT);
3061      y =  QEMU_ALIGN_DOWN(y, VNC_STAT_RECT);
3062  
3063      for (j = y; j <= y + h; j += VNC_STAT_RECT) {
3064          for (i = x; i <= x + w; i += VNC_STAT_RECT) {
3065              total += vnc_stat_rect(vs->vd, i, j)->freq;
3066              num++;
3067          }
3068      }
3069  
3070      if (num) {
3071          return total / num;
3072      } else {
3073          return 0;
3074      }
3075  }
3076  
3077  static void vnc_rect_updated(VncDisplay *vd, int x, int y, struct timeval * tv)
3078  {
3079      VncRectStat *rect;
3080  
3081      rect = vnc_stat_rect(vd, x, y);
3082      if (rect->updated) {
3083          return ;
3084      }
3085      rect->times[rect->idx] = *tv;
3086      rect->idx = (rect->idx + 1) % ARRAY_SIZE(rect->times);
3087      rect->updated = true;
3088  }
3089  
3090  static int vnc_refresh_server_surface(VncDisplay *vd)
3091  {
3092      int width = MIN(pixman_image_get_width(vd->guest.fb),
3093                      pixman_image_get_width(vd->server));
3094      int height = MIN(pixman_image_get_height(vd->guest.fb),
3095                       pixman_image_get_height(vd->server));
3096      int cmp_bytes, server_stride, line_bytes, guest_ll, guest_stride, y = 0;
3097      uint8_t *guest_row0 = NULL, *server_row0;
3098      VncState *vs;
3099      int has_dirty = 0;
3100      pixman_image_t *tmpbuf = NULL;
3101  
3102      struct timeval tv = { 0, 0 };
3103  
3104      if (!vd->non_adaptive) {
3105          gettimeofday(&tv, NULL);
3106          has_dirty = vnc_update_stats(vd, &tv);
3107      }
3108  
3109      /*
3110       * Walk through the guest dirty map.
3111       * Check and copy modified bits from guest to server surface.
3112       * Update server dirty map.
3113       */
3114      server_row0 = (uint8_t *)pixman_image_get_data(vd->server);
3115      server_stride = guest_stride = guest_ll =
3116          pixman_image_get_stride(vd->server);
3117      cmp_bytes = MIN(VNC_DIRTY_PIXELS_PER_BIT * VNC_SERVER_FB_BYTES,
3118                      server_stride);
3119      if (vd->guest.format != VNC_SERVER_FB_FORMAT) {
3120          int width = pixman_image_get_width(vd->server);
3121          tmpbuf = qemu_pixman_linebuf_create(VNC_SERVER_FB_FORMAT, width);
3122      } else {
3123          int guest_bpp =
3124              PIXMAN_FORMAT_BPP(pixman_image_get_format(vd->guest.fb));
3125          guest_row0 = (uint8_t *)pixman_image_get_data(vd->guest.fb);
3126          guest_stride = pixman_image_get_stride(vd->guest.fb);
3127          guest_ll = pixman_image_get_width(vd->guest.fb)
3128                     * DIV_ROUND_UP(guest_bpp, 8);
3129      }
3130      line_bytes = MIN(server_stride, guest_ll);
3131  
3132      for (;;) {
3133          int x;
3134          uint8_t *guest_ptr, *server_ptr;
3135          unsigned long offset = find_next_bit((unsigned long *) &vd->guest.dirty,
3136                                               height * VNC_DIRTY_BPL(&vd->guest),
3137                                               y * VNC_DIRTY_BPL(&vd->guest));
3138          if (offset == height * VNC_DIRTY_BPL(&vd->guest)) {
3139              /* no more dirty bits */
3140              break;
3141          }
3142          y = offset / VNC_DIRTY_BPL(&vd->guest);
3143          x = offset % VNC_DIRTY_BPL(&vd->guest);
3144  
3145          server_ptr = server_row0 + y * server_stride + x * cmp_bytes;
3146  
3147          if (vd->guest.format != VNC_SERVER_FB_FORMAT) {
3148              qemu_pixman_linebuf_fill(tmpbuf, vd->guest.fb, width, 0, y);
3149              guest_ptr = (uint8_t *)pixman_image_get_data(tmpbuf);
3150          } else {
3151              guest_ptr = guest_row0 + y * guest_stride;
3152          }
3153          guest_ptr += x * cmp_bytes;
3154  
3155          for (; x < DIV_ROUND_UP(width, VNC_DIRTY_PIXELS_PER_BIT);
3156               x++, guest_ptr += cmp_bytes, server_ptr += cmp_bytes) {
3157              int _cmp_bytes = cmp_bytes;
3158              if (!test_and_clear_bit(x, vd->guest.dirty[y])) {
3159                  continue;
3160              }
3161              if ((x + 1) * cmp_bytes > line_bytes) {
3162                  _cmp_bytes = line_bytes - x * cmp_bytes;
3163              }
3164              assert(_cmp_bytes >= 0);
3165              if (memcmp(server_ptr, guest_ptr, _cmp_bytes) == 0) {
3166                  continue;
3167              }
3168              memcpy(server_ptr, guest_ptr, _cmp_bytes);
3169              if (!vd->non_adaptive) {
3170                  vnc_rect_updated(vd, x * VNC_DIRTY_PIXELS_PER_BIT,
3171                                   y, &tv);
3172              }
3173              QTAILQ_FOREACH(vs, &vd->clients, next) {
3174                  set_bit(x, vs->dirty[y]);
3175              }
3176              has_dirty++;
3177          }
3178  
3179          y++;
3180      }
3181      qemu_pixman_image_unref(tmpbuf);
3182      return has_dirty;
3183  }
3184  
3185  static void vnc_refresh(DisplayChangeListener *dcl)
3186  {
3187      VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
3188      VncState *vs, *vn;
3189      int has_dirty, rects = 0;
3190  
3191      if (QTAILQ_EMPTY(&vd->clients)) {
3192          update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_MAX);
3193          return;
3194      }
3195  
3196      graphic_hw_update(vd->dcl.con);
3197  
3198      if (vnc_trylock_display(vd)) {
3199          update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
3200          return;
3201      }
3202  
3203      has_dirty = vnc_refresh_server_surface(vd);
3204      vnc_unlock_display(vd);
3205  
3206      QTAILQ_FOREACH_SAFE(vs, &vd->clients, next, vn) {
3207          rects += vnc_update_client(vs, has_dirty);
3208          /* vs might be free()ed here */
3209      }
3210  
3211      if (has_dirty && rects) {
3212          vd->dcl.update_interval /= 2;
3213          if (vd->dcl.update_interval < VNC_REFRESH_INTERVAL_BASE) {
3214              vd->dcl.update_interval = VNC_REFRESH_INTERVAL_BASE;
3215          }
3216      } else {
3217          vd->dcl.update_interval += VNC_REFRESH_INTERVAL_INC;
3218          if (vd->dcl.update_interval > VNC_REFRESH_INTERVAL_MAX) {
3219              vd->dcl.update_interval = VNC_REFRESH_INTERVAL_MAX;
3220          }
3221      }
3222  }
3223  
3224  static void vnc_connect(VncDisplay *vd, QIOChannelSocket *sioc,
3225                          bool skipauth, bool websocket)
3226  {
3227      VncState *vs = g_new0(VncState, 1);
3228      bool first_client = QTAILQ_EMPTY(&vd->clients);
3229      int i;
3230  
3231      trace_vnc_client_connect(vs, sioc);
3232      vs->zrle = g_new0(VncZrle, 1);
3233      vs->tight = g_new0(VncTight, 1);
3234      vs->magic = VNC_MAGIC;
3235      vs->sioc = sioc;
3236      object_ref(OBJECT(vs->sioc));
3237      vs->ioc = QIO_CHANNEL(sioc);
3238      object_ref(OBJECT(vs->ioc));
3239      vs->vd = vd;
3240  
3241      buffer_init(&vs->input,          "vnc-input/%p", sioc);
3242      buffer_init(&vs->output,         "vnc-output/%p", sioc);
3243      buffer_init(&vs->jobs_buffer,    "vnc-jobs_buffer/%p", sioc);
3244  
3245      buffer_init(&vs->tight->tight,    "vnc-tight/%p", sioc);
3246      buffer_init(&vs->tight->zlib,     "vnc-tight-zlib/%p", sioc);
3247      buffer_init(&vs->tight->gradient, "vnc-tight-gradient/%p", sioc);
3248  #ifdef CONFIG_VNC_JPEG
3249      buffer_init(&vs->tight->jpeg,     "vnc-tight-jpeg/%p", sioc);
3250  #endif
3251  #ifdef CONFIG_VNC_PNG
3252      buffer_init(&vs->tight->png,      "vnc-tight-png/%p", sioc);
3253  #endif
3254      buffer_init(&vs->zlib.zlib,      "vnc-zlib/%p", sioc);
3255      buffer_init(&vs->zrle->zrle,      "vnc-zrle/%p", sioc);
3256      buffer_init(&vs->zrle->fb,        "vnc-zrle-fb/%p", sioc);
3257      buffer_init(&vs->zrle->zlib,      "vnc-zrle-zlib/%p", sioc);
3258  
3259      if (skipauth) {
3260          vs->auth = VNC_AUTH_NONE;
3261          vs->subauth = VNC_AUTH_INVALID;
3262      } else {
3263          if (websocket) {
3264              vs->auth = vd->ws_auth;
3265              vs->subauth = VNC_AUTH_INVALID;
3266          } else {
3267              vs->auth = vd->auth;
3268              vs->subauth = vd->subauth;
3269          }
3270      }
3271      VNC_DEBUG("Client sioc=%p ws=%d auth=%d subauth=%d\n",
3272                sioc, websocket, vs->auth, vs->subauth);
3273  
3274      vs->lossy_rect = g_malloc0(VNC_STAT_ROWS * sizeof (*vs->lossy_rect));
3275      for (i = 0; i < VNC_STAT_ROWS; ++i) {
3276          vs->lossy_rect[i] = g_new0(uint8_t, VNC_STAT_COLS);
3277      }
3278  
3279      VNC_DEBUG("New client on socket %p\n", vs->sioc);
3280      update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
3281      qio_channel_set_blocking(vs->ioc, false, NULL);
3282      if (vs->ioc_tag) {
3283          g_source_remove(vs->ioc_tag);
3284      }
3285      if (websocket) {
3286          vs->websocket = 1;
3287          if (vd->tlscreds) {
3288              vs->ioc_tag = qio_channel_add_watch(
3289                  vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR,
3290                  vncws_tls_handshake_io, vs, NULL);
3291          } else {
3292              vs->ioc_tag = qio_channel_add_watch(
3293                  vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR,
3294                  vncws_handshake_io, vs, NULL);
3295          }
3296      } else {
3297          vs->ioc_tag = qio_channel_add_watch(
3298              vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR,
3299              vnc_client_io, vs, NULL);
3300      }
3301  
3302      vnc_client_cache_addr(vs);
3303      vnc_qmp_event(vs, QAPI_EVENT_VNC_CONNECTED);
3304      vnc_set_share_mode(vs, VNC_SHARE_MODE_CONNECTING);
3305  
3306      vs->last_x = -1;
3307      vs->last_y = -1;
3308  
3309      vs->as.freq = 44100;
3310      vs->as.nchannels = 2;
3311      vs->as.fmt = AUDIO_FORMAT_S16;
3312      vs->as.endianness = 0;
3313  
3314      qemu_mutex_init(&vs->output_mutex);
3315      vs->bh = qemu_bh_new(vnc_jobs_bh, vs);
3316  
3317      QTAILQ_INSERT_TAIL(&vd->clients, vs, next);
3318      if (first_client) {
3319          vnc_update_server_surface(vd);
3320      }
3321  
3322      graphic_hw_update(vd->dcl.con);
3323  
3324      if (!vs->websocket) {
3325          vnc_start_protocol(vs);
3326      }
3327  
3328      if (vd->num_connecting > vd->connections_limit) {
3329          QTAILQ_FOREACH(vs, &vd->clients, next) {
3330              if (vs->share_mode == VNC_SHARE_MODE_CONNECTING) {
3331                  vnc_disconnect_start(vs);
3332                  return;
3333              }
3334          }
3335      }
3336  }
3337  
3338  void vnc_start_protocol(VncState *vs)
3339  {
3340      vnc_write(vs, "RFB 003.008\n", 12);
3341      vnc_flush(vs);
3342      vnc_read_when(vs, protocol_version, 12);
3343  
3344      vs->mouse_mode_notifier.notify = check_pointer_type_change;
3345      qemu_add_mouse_mode_change_notifier(&vs->mouse_mode_notifier);
3346  }
3347  
3348  static void vnc_listen_io(QIONetListener *listener,
3349                            QIOChannelSocket *cioc,
3350                            void *opaque)
3351  {
3352      VncDisplay *vd = opaque;
3353      bool isWebsock = listener == vd->wslistener;
3354  
3355      qio_channel_set_name(QIO_CHANNEL(cioc),
3356                           isWebsock ? "vnc-ws-server" : "vnc-server");
3357      qio_channel_set_delay(QIO_CHANNEL(cioc), false);
3358      vnc_connect(vd, cioc, false, isWebsock);
3359  }
3360  
3361  static const DisplayChangeListenerOps dcl_ops = {
3362      .dpy_name             = "vnc",
3363      .dpy_refresh          = vnc_refresh,
3364      .dpy_gfx_update       = vnc_dpy_update,
3365      .dpy_gfx_switch       = vnc_dpy_switch,
3366      .dpy_gfx_check_format = qemu_pixman_check_format,
3367      .dpy_mouse_set        = vnc_mouse_set,
3368      .dpy_cursor_define    = vnc_dpy_cursor_define,
3369  };
3370  
3371  void vnc_display_init(const char *id, Error **errp)
3372  {
3373      VncDisplay *vd;
3374  
3375      if (vnc_display_find(id) != NULL) {
3376          return;
3377      }
3378      vd = g_malloc0(sizeof(*vd));
3379  
3380      vd->id = strdup(id);
3381      QTAILQ_INSERT_TAIL(&vnc_displays, vd, next);
3382  
3383      QTAILQ_INIT(&vd->clients);
3384      vd->expires = TIME_MAX;
3385  
3386      if (keyboard_layout) {
3387          trace_vnc_key_map_init(keyboard_layout);
3388          vd->kbd_layout = init_keyboard_layout(name2keysym,
3389                                                keyboard_layout, errp);
3390      } else {
3391          vd->kbd_layout = init_keyboard_layout(name2keysym, "en-us", errp);
3392      }
3393  
3394      if (!vd->kbd_layout) {
3395          return;
3396      }
3397  
3398      vd->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
3399      vd->connections_limit = 32;
3400  
3401      qemu_mutex_init(&vd->mutex);
3402      vnc_start_worker_thread();
3403  
3404      vd->dcl.ops = &dcl_ops;
3405      register_displaychangelistener(&vd->dcl);
3406      vd->kbd = qkbd_state_init(vd->dcl.con);
3407  }
3408  
3409  
3410  static void vnc_display_close(VncDisplay *vd)
3411  {
3412      if (!vd) {
3413          return;
3414      }
3415      vd->is_unix = false;
3416  
3417      if (vd->listener) {
3418          qio_net_listener_disconnect(vd->listener);
3419          object_unref(OBJECT(vd->listener));
3420      }
3421      vd->listener = NULL;
3422  
3423      if (vd->wslistener) {
3424          qio_net_listener_disconnect(vd->wslistener);
3425          object_unref(OBJECT(vd->wslistener));
3426      }
3427      vd->wslistener = NULL;
3428  
3429      vd->auth = VNC_AUTH_INVALID;
3430      vd->subauth = VNC_AUTH_INVALID;
3431      if (vd->tlscreds) {
3432          object_unref(OBJECT(vd->tlscreds));
3433          vd->tlscreds = NULL;
3434      }
3435      if (vd->tlsauthz) {
3436          object_unparent(OBJECT(vd->tlsauthz));
3437          vd->tlsauthz = NULL;
3438      }
3439      g_free(vd->tlsauthzid);
3440      vd->tlsauthzid = NULL;
3441      if (vd->lock_key_sync) {
3442          qemu_remove_led_event_handler(vd->led);
3443          vd->led = NULL;
3444      }
3445  #ifdef CONFIG_VNC_SASL
3446      if (vd->sasl.authz) {
3447          object_unparent(OBJECT(vd->sasl.authz));
3448          vd->sasl.authz = NULL;
3449      }
3450      g_free(vd->sasl.authzid);
3451      vd->sasl.authzid = NULL;
3452  #endif
3453  }
3454  
3455  int vnc_display_password(const char *id, const char *password)
3456  {
3457      VncDisplay *vd = vnc_display_find(id);
3458  
3459      if (!vd) {
3460          return -EINVAL;
3461      }
3462      if (vd->auth == VNC_AUTH_NONE) {
3463          error_printf_unless_qmp("If you want use passwords please enable "
3464                                  "password auth using '-vnc ${dpy},password'.\n");
3465          return -EINVAL;
3466      }
3467  
3468      g_free(vd->password);
3469      vd->password = g_strdup(password);
3470  
3471      return 0;
3472  }
3473  
3474  int vnc_display_pw_expire(const char *id, time_t expires)
3475  {
3476      VncDisplay *vd = vnc_display_find(id);
3477  
3478      if (!vd) {
3479          return -EINVAL;
3480      }
3481  
3482      vd->expires = expires;
3483      return 0;
3484  }
3485  
3486  static void vnc_display_print_local_addr(VncDisplay *vd)
3487  {
3488      SocketAddress *addr;
3489  
3490      if (!vd->listener || !vd->listener->nsioc) {
3491          return;
3492      }
3493  
3494      addr = qio_channel_socket_get_local_address(vd->listener->sioc[0], NULL);
3495      if (!addr) {
3496          return;
3497      }
3498  
3499      if (addr->type != SOCKET_ADDRESS_TYPE_INET) {
3500          qapi_free_SocketAddress(addr);
3501          return;
3502      }
3503      error_printf_unless_qmp("VNC server running on %s:%s\n",
3504                              addr->u.inet.host,
3505                              addr->u.inet.port);
3506      qapi_free_SocketAddress(addr);
3507  }
3508  
3509  static QemuOptsList qemu_vnc_opts = {
3510      .name = "vnc",
3511      .head = QTAILQ_HEAD_INITIALIZER(qemu_vnc_opts.head),
3512      .implied_opt_name = "vnc",
3513      .desc = {
3514          {
3515              .name = "vnc",
3516              .type = QEMU_OPT_STRING,
3517          },{
3518              .name = "websocket",
3519              .type = QEMU_OPT_STRING,
3520          },{
3521              .name = "tls-creds",
3522              .type = QEMU_OPT_STRING,
3523          },{
3524              .name = "share",
3525              .type = QEMU_OPT_STRING,
3526          },{
3527              .name = "display",
3528              .type = QEMU_OPT_STRING,
3529          },{
3530              .name = "head",
3531              .type = QEMU_OPT_NUMBER,
3532          },{
3533              .name = "connections",
3534              .type = QEMU_OPT_NUMBER,
3535          },{
3536              .name = "to",
3537              .type = QEMU_OPT_NUMBER,
3538          },{
3539              .name = "ipv4",
3540              .type = QEMU_OPT_BOOL,
3541          },{
3542              .name = "ipv6",
3543              .type = QEMU_OPT_BOOL,
3544          },{
3545              .name = "password",
3546              .type = QEMU_OPT_BOOL,
3547          },{
3548              .name = "password-secret",
3549              .type = QEMU_OPT_STRING,
3550          },{
3551              .name = "reverse",
3552              .type = QEMU_OPT_BOOL,
3553          },{
3554              .name = "lock-key-sync",
3555              .type = QEMU_OPT_BOOL,
3556          },{
3557              .name = "key-delay-ms",
3558              .type = QEMU_OPT_NUMBER,
3559          },{
3560              .name = "sasl",
3561              .type = QEMU_OPT_BOOL,
3562          },{
3563              .name = "tls-authz",
3564              .type = QEMU_OPT_STRING,
3565          },{
3566              .name = "sasl-authz",
3567              .type = QEMU_OPT_STRING,
3568          },{
3569              .name = "lossy",
3570              .type = QEMU_OPT_BOOL,
3571          },{
3572              .name = "non-adaptive",
3573              .type = QEMU_OPT_BOOL,
3574          },{
3575              .name = "audiodev",
3576              .type = QEMU_OPT_STRING,
3577          },{
3578              .name = "power-control",
3579              .type = QEMU_OPT_BOOL,
3580          },
3581          { /* end of list */ }
3582      },
3583  };
3584  
3585  
3586  static int
3587  vnc_display_setup_auth(int *auth,
3588                         int *subauth,
3589                         QCryptoTLSCreds *tlscreds,
3590                         bool password,
3591                         bool sasl,
3592                         bool websocket,
3593                         Error **errp)
3594  {
3595      /*
3596       * We have a choice of 3 authentication options
3597       *
3598       *   1. none
3599       *   2. vnc
3600       *   3. sasl
3601       *
3602       * The channel can be run in 2 modes
3603       *
3604       *   1. clear
3605       *   2. tls
3606       *
3607       * And TLS can use 2 types of credentials
3608       *
3609       *   1. anon
3610       *   2. x509
3611       *
3612       * We thus have 9 possible logical combinations
3613       *
3614       *   1. clear + none
3615       *   2. clear + vnc
3616       *   3. clear + sasl
3617       *   4. tls + anon + none
3618       *   5. tls + anon + vnc
3619       *   6. tls + anon + sasl
3620       *   7. tls + x509 + none
3621       *   8. tls + x509 + vnc
3622       *   9. tls + x509 + sasl
3623       *
3624       * These need to be mapped into the VNC auth schemes
3625       * in an appropriate manner. In regular VNC, all the
3626       * TLS options get mapped into VNC_AUTH_VENCRYPT
3627       * sub-auth types.
3628       *
3629       * In websockets, the https:// protocol already provides
3630       * TLS support, so there is no need to make use of the
3631       * VeNCrypt extension. Furthermore, websockets browser
3632       * clients could not use VeNCrypt even if they wanted to,
3633       * as they cannot control when the TLS handshake takes
3634       * place. Thus there is no option but to rely on https://,
3635       * meaning combinations 4->6 and 7->9 will be mapped to
3636       * VNC auth schemes in the same way as combos 1->3.
3637       *
3638       * Regardless of fact that we have a different mapping to
3639       * VNC auth mechs for plain VNC vs websockets VNC, the end
3640       * result has the same security characteristics.
3641       */
3642      if (websocket || !tlscreds) {
3643          if (password) {
3644              VNC_DEBUG("Initializing VNC server with password auth\n");
3645              *auth = VNC_AUTH_VNC;
3646          } else if (sasl) {
3647              VNC_DEBUG("Initializing VNC server with SASL auth\n");
3648              *auth = VNC_AUTH_SASL;
3649          } else {
3650              VNC_DEBUG("Initializing VNC server with no auth\n");
3651              *auth = VNC_AUTH_NONE;
3652          }
3653          *subauth = VNC_AUTH_INVALID;
3654      } else {
3655          bool is_x509 = object_dynamic_cast(OBJECT(tlscreds),
3656                                             TYPE_QCRYPTO_TLS_CREDS_X509) != NULL;
3657          bool is_anon = object_dynamic_cast(OBJECT(tlscreds),
3658                                             TYPE_QCRYPTO_TLS_CREDS_ANON) != NULL;
3659  
3660          if (!is_x509 && !is_anon) {
3661              error_setg(errp,
3662                         "Unsupported TLS cred type %s",
3663                         object_get_typename(OBJECT(tlscreds)));
3664              return -1;
3665          }
3666          *auth = VNC_AUTH_VENCRYPT;
3667          if (password) {
3668              if (is_x509) {
3669                  VNC_DEBUG("Initializing VNC server with x509 password auth\n");
3670                  *subauth = VNC_AUTH_VENCRYPT_X509VNC;
3671              } else {
3672                  VNC_DEBUG("Initializing VNC server with TLS password auth\n");
3673                  *subauth = VNC_AUTH_VENCRYPT_TLSVNC;
3674              }
3675  
3676          } else if (sasl) {
3677              if (is_x509) {
3678                  VNC_DEBUG("Initializing VNC server with x509 SASL auth\n");
3679                  *subauth = VNC_AUTH_VENCRYPT_X509SASL;
3680              } else {
3681                  VNC_DEBUG("Initializing VNC server with TLS SASL auth\n");
3682                  *subauth = VNC_AUTH_VENCRYPT_TLSSASL;
3683              }
3684          } else {
3685              if (is_x509) {
3686                  VNC_DEBUG("Initializing VNC server with x509 no auth\n");
3687                  *subauth = VNC_AUTH_VENCRYPT_X509NONE;
3688              } else {
3689                  VNC_DEBUG("Initializing VNC server with TLS no auth\n");
3690                  *subauth = VNC_AUTH_VENCRYPT_TLSNONE;
3691              }
3692          }
3693      }
3694      return 0;
3695  }
3696  
3697  
3698  static int vnc_display_get_address(const char *addrstr,
3699                                     bool websocket,
3700                                     bool reverse,
3701                                     int displaynum,
3702                                     int to,
3703                                     bool has_ipv4,
3704                                     bool has_ipv6,
3705                                     bool ipv4,
3706                                     bool ipv6,
3707                                     SocketAddress **retaddr,
3708                                     Error **errp)
3709  {
3710      int ret = -1;
3711      SocketAddress *addr = NULL;
3712  
3713      addr = g_new0(SocketAddress, 1);
3714  
3715      if (strncmp(addrstr, "unix:", 5) == 0) {
3716          addr->type = SOCKET_ADDRESS_TYPE_UNIX;
3717          addr->u.q_unix.path = g_strdup(addrstr + 5);
3718  
3719          if (websocket) {
3720              error_setg(errp, "UNIX sockets not supported with websock");
3721              goto cleanup;
3722          }
3723  
3724          if (to) {
3725              error_setg(errp, "Port range not support with UNIX socket");
3726              goto cleanup;
3727          }
3728          ret = 0;
3729      } else {
3730          const char *port;
3731          size_t hostlen;
3732          unsigned long long baseport = 0;
3733          InetSocketAddress *inet;
3734  
3735          port = strrchr(addrstr, ':');
3736          if (!port) {
3737              if (websocket) {
3738                  hostlen = 0;
3739                  port = addrstr;
3740              } else {
3741                  error_setg(errp, "no vnc port specified");
3742                  goto cleanup;
3743              }
3744          } else {
3745              hostlen = port - addrstr;
3746              port++;
3747              if (*port == '\0') {
3748                  error_setg(errp, "vnc port cannot be empty");
3749                  goto cleanup;
3750              }
3751          }
3752  
3753          addr->type = SOCKET_ADDRESS_TYPE_INET;
3754          inet = &addr->u.inet;
3755          if (addrstr[0] == '[' && addrstr[hostlen - 1] == ']') {
3756              inet->host = g_strndup(addrstr + 1, hostlen - 2);
3757          } else {
3758              inet->host = g_strndup(addrstr, hostlen);
3759          }
3760          /* plain VNC port is just an offset, for websocket
3761           * port is absolute */
3762          if (websocket) {
3763              if (g_str_equal(addrstr, "") ||
3764                  g_str_equal(addrstr, "on")) {
3765                  if (displaynum == -1) {
3766                      error_setg(errp, "explicit websocket port is required");
3767                      goto cleanup;
3768                  }
3769                  inet->port = g_strdup_printf(
3770                      "%d", displaynum + 5700);
3771                  if (to) {
3772                      inet->has_to = true;
3773                      inet->to = to + 5700;
3774                  }
3775              } else {
3776                  inet->port = g_strdup(port);
3777              }
3778          } else {
3779              int offset = reverse ? 0 : 5900;
3780              if (parse_uint_full(port, &baseport, 10) < 0) {
3781                  error_setg(errp, "can't convert to a number: %s", port);
3782                  goto cleanup;
3783              }
3784              if (baseport > 65535 ||
3785                  baseport + offset > 65535) {
3786                  error_setg(errp, "port %s out of range", port);
3787                  goto cleanup;
3788              }
3789              inet->port = g_strdup_printf(
3790                  "%d", (int)baseport + offset);
3791  
3792              if (to) {
3793                  inet->has_to = true;
3794                  inet->to = to + offset;
3795              }
3796          }
3797  
3798          inet->ipv4 = ipv4;
3799          inet->has_ipv4 = has_ipv4;
3800          inet->ipv6 = ipv6;
3801          inet->has_ipv6 = has_ipv6;
3802  
3803          ret = baseport;
3804      }
3805  
3806      *retaddr = addr;
3807  
3808   cleanup:
3809      if (ret < 0) {
3810          qapi_free_SocketAddress(addr);
3811      }
3812      return ret;
3813  }
3814  
3815  static void vnc_free_addresses(SocketAddress ***retsaddr,
3816                                 size_t *retnsaddr)
3817  {
3818      size_t i;
3819  
3820      for (i = 0; i < *retnsaddr; i++) {
3821          qapi_free_SocketAddress((*retsaddr)[i]);
3822      }
3823      g_free(*retsaddr);
3824  
3825      *retsaddr = NULL;
3826      *retnsaddr = 0;
3827  }
3828  
3829  static int vnc_display_get_addresses(QemuOpts *opts,
3830                                       bool reverse,
3831                                       SocketAddress ***retsaddr,
3832                                       size_t *retnsaddr,
3833                                       SocketAddress ***retwsaddr,
3834                                       size_t *retnwsaddr,
3835                                       Error **errp)
3836  {
3837      SocketAddress *saddr = NULL;
3838      SocketAddress *wsaddr = NULL;
3839      QemuOptsIter addriter;
3840      const char *addr;
3841      int to = qemu_opt_get_number(opts, "to", 0);
3842      bool has_ipv4 = qemu_opt_get(opts, "ipv4");
3843      bool has_ipv6 = qemu_opt_get(opts, "ipv6");
3844      bool ipv4 = qemu_opt_get_bool(opts, "ipv4", false);
3845      bool ipv6 = qemu_opt_get_bool(opts, "ipv6", false);
3846      int displaynum = -1;
3847      int ret = -1;
3848  
3849      *retsaddr = NULL;
3850      *retnsaddr = 0;
3851      *retwsaddr = NULL;
3852      *retnwsaddr = 0;
3853  
3854      addr = qemu_opt_get(opts, "vnc");
3855      if (addr == NULL || g_str_equal(addr, "none")) {
3856          ret = 0;
3857          goto cleanup;
3858      }
3859      if (qemu_opt_get(opts, "websocket") &&
3860          !qcrypto_hash_supports(QCRYPTO_HASH_ALG_SHA1)) {
3861          error_setg(errp,
3862                     "SHA1 hash support is required for websockets");
3863          goto cleanup;
3864      }
3865  
3866      qemu_opt_iter_init(&addriter, opts, "vnc");
3867      while ((addr = qemu_opt_iter_next(&addriter)) != NULL) {
3868          int rv;
3869          rv = vnc_display_get_address(addr, false, reverse, 0, to,
3870                                       has_ipv4, has_ipv6,
3871                                       ipv4, ipv6,
3872                                       &saddr, errp);
3873          if (rv < 0) {
3874              goto cleanup;
3875          }
3876          /* Historical compat - first listen address can be used
3877           * to set the default websocket port
3878           */
3879          if (displaynum == -1) {
3880              displaynum = rv;
3881          }
3882          *retsaddr = g_renew(SocketAddress *, *retsaddr, *retnsaddr + 1);
3883          (*retsaddr)[(*retnsaddr)++] = saddr;
3884      }
3885  
3886      /* If we had multiple primary displays, we don't do defaults
3887       * for websocket, and require explicit config instead. */
3888      if (*retnsaddr > 1) {
3889          displaynum = -1;
3890      }
3891  
3892      qemu_opt_iter_init(&addriter, opts, "websocket");
3893      while ((addr = qemu_opt_iter_next(&addriter)) != NULL) {
3894          if (vnc_display_get_address(addr, true, reverse, displaynum, to,
3895                                      has_ipv4, has_ipv6,
3896                                      ipv4, ipv6,
3897                                      &wsaddr, errp) < 0) {
3898              goto cleanup;
3899          }
3900  
3901          /* Historical compat - if only a single listen address was
3902           * provided, then this is used to set the default listen
3903           * address for websocket too
3904           */
3905          if (*retnsaddr == 1 &&
3906              (*retsaddr)[0]->type == SOCKET_ADDRESS_TYPE_INET &&
3907              wsaddr->type == SOCKET_ADDRESS_TYPE_INET &&
3908              g_str_equal(wsaddr->u.inet.host, "") &&
3909              !g_str_equal((*retsaddr)[0]->u.inet.host, "")) {
3910              g_free(wsaddr->u.inet.host);
3911              wsaddr->u.inet.host = g_strdup((*retsaddr)[0]->u.inet.host);
3912          }
3913  
3914          *retwsaddr = g_renew(SocketAddress *, *retwsaddr, *retnwsaddr + 1);
3915          (*retwsaddr)[(*retnwsaddr)++] = wsaddr;
3916      }
3917  
3918      ret = 0;
3919   cleanup:
3920      if (ret < 0) {
3921          vnc_free_addresses(retsaddr, retnsaddr);
3922          vnc_free_addresses(retwsaddr, retnwsaddr);
3923      }
3924      return ret;
3925  }
3926  
3927  static int vnc_display_connect(VncDisplay *vd,
3928                                 SocketAddress **saddr,
3929                                 size_t nsaddr,
3930                                 SocketAddress **wsaddr,
3931                                 size_t nwsaddr,
3932                                 Error **errp)
3933  {
3934      /* connect to viewer */
3935      QIOChannelSocket *sioc = NULL;
3936      if (nwsaddr != 0) {
3937          error_setg(errp, "Cannot use websockets in reverse mode");
3938          return -1;
3939      }
3940      if (nsaddr != 1) {
3941          error_setg(errp, "Expected a single address in reverse mode");
3942          return -1;
3943      }
3944      /* TODO SOCKET_ADDRESS_TYPE_FD when fd has AF_UNIX */
3945      vd->is_unix = saddr[0]->type == SOCKET_ADDRESS_TYPE_UNIX;
3946      sioc = qio_channel_socket_new();
3947      qio_channel_set_name(QIO_CHANNEL(sioc), "vnc-reverse");
3948      if (qio_channel_socket_connect_sync(sioc, saddr[0], errp) < 0) {
3949          object_unref(OBJECT(sioc));
3950          return -1;
3951      }
3952      vnc_connect(vd, sioc, false, false);
3953      object_unref(OBJECT(sioc));
3954      return 0;
3955  }
3956  
3957  
3958  static int vnc_display_listen(VncDisplay *vd,
3959                                SocketAddress **saddr,
3960                                size_t nsaddr,
3961                                SocketAddress **wsaddr,
3962                                size_t nwsaddr,
3963                                Error **errp)
3964  {
3965      size_t i;
3966  
3967      if (nsaddr) {
3968          vd->listener = qio_net_listener_new();
3969          qio_net_listener_set_name(vd->listener, "vnc-listen");
3970          for (i = 0; i < nsaddr; i++) {
3971              if (qio_net_listener_open_sync(vd->listener,
3972                                             saddr[i], 1,
3973                                             errp) < 0)  {
3974                  return -1;
3975              }
3976          }
3977  
3978          qio_net_listener_set_client_func(vd->listener,
3979                                           vnc_listen_io, vd, NULL);
3980      }
3981  
3982      if (nwsaddr) {
3983          vd->wslistener = qio_net_listener_new();
3984          qio_net_listener_set_name(vd->wslistener, "vnc-ws-listen");
3985          for (i = 0; i < nwsaddr; i++) {
3986              if (qio_net_listener_open_sync(vd->wslistener,
3987                                             wsaddr[i], 1,
3988                                             errp) < 0)  {
3989                  return -1;
3990              }
3991          }
3992  
3993          qio_net_listener_set_client_func(vd->wslistener,
3994                                           vnc_listen_io, vd, NULL);
3995      }
3996  
3997      return 0;
3998  }
3999  
4000  
4001  void vnc_display_open(const char *id, Error **errp)
4002  {
4003      VncDisplay *vd = vnc_display_find(id);
4004      QemuOpts *opts = qemu_opts_find(&qemu_vnc_opts, id);
4005      SocketAddress **saddr = NULL, **wsaddr = NULL;
4006      size_t nsaddr, nwsaddr;
4007      const char *share, *device_id;
4008      QemuConsole *con;
4009      bool password = false;
4010      bool reverse = false;
4011      const char *credid;
4012      bool sasl = false;
4013      const char *tlsauthz;
4014      const char *saslauthz;
4015      int lock_key_sync = 1;
4016      int key_delay_ms;
4017      const char *audiodev;
4018      const char *passwordSecret;
4019  
4020      if (!vd) {
4021          error_setg(errp, "VNC display not active");
4022          return;
4023      }
4024      vnc_display_close(vd);
4025  
4026      if (!opts) {
4027          return;
4028      }
4029  
4030      reverse = qemu_opt_get_bool(opts, "reverse", false);
4031      if (vnc_display_get_addresses(opts, reverse, &saddr, &nsaddr,
4032                                    &wsaddr, &nwsaddr, errp) < 0) {
4033          goto fail;
4034      }
4035  
4036  
4037      passwordSecret = qemu_opt_get(opts, "password-secret");
4038      if (passwordSecret) {
4039          if (qemu_opt_get(opts, "password")) {
4040              error_setg(errp,
4041                         "'password' flag is redundant with 'password-secret'");
4042              goto fail;
4043          }
4044          vd->password = qcrypto_secret_lookup_as_utf8(passwordSecret,
4045                                                       errp);
4046          if (!vd->password) {
4047              goto fail;
4048          }
4049          password = true;
4050      } else {
4051          password = qemu_opt_get_bool(opts, "password", false);
4052      }
4053      if (password) {
4054          if (fips_get_state()) {
4055              error_setg(errp,
4056                         "VNC password auth disabled due to FIPS mode, "
4057                         "consider using the VeNCrypt or SASL authentication "
4058                         "methods as an alternative");
4059              goto fail;
4060          }
4061          if (!qcrypto_cipher_supports(
4062                  QCRYPTO_CIPHER_ALG_DES, QCRYPTO_CIPHER_MODE_ECB)) {
4063              error_setg(errp,
4064                         "Cipher backend does not support DES algorithm");
4065              goto fail;
4066          }
4067      }
4068  
4069      lock_key_sync = qemu_opt_get_bool(opts, "lock-key-sync", true);
4070      key_delay_ms = qemu_opt_get_number(opts, "key-delay-ms", 10);
4071      sasl = qemu_opt_get_bool(opts, "sasl", false);
4072  #ifndef CONFIG_VNC_SASL
4073      if (sasl) {
4074          error_setg(errp, "VNC SASL auth requires cyrus-sasl support");
4075          goto fail;
4076      }
4077  #endif /* CONFIG_VNC_SASL */
4078      credid = qemu_opt_get(opts, "tls-creds");
4079      if (credid) {
4080          Object *creds;
4081          creds = object_resolve_path_component(
4082              object_get_objects_root(), credid);
4083          if (!creds) {
4084              error_setg(errp, "No TLS credentials with id '%s'",
4085                         credid);
4086              goto fail;
4087          }
4088          vd->tlscreds = (QCryptoTLSCreds *)
4089              object_dynamic_cast(creds,
4090                                  TYPE_QCRYPTO_TLS_CREDS);
4091          if (!vd->tlscreds) {
4092              error_setg(errp, "Object with id '%s' is not TLS credentials",
4093                         credid);
4094              goto fail;
4095          }
4096          object_ref(OBJECT(vd->tlscreds));
4097  
4098          if (!qcrypto_tls_creds_check_endpoint(vd->tlscreds,
4099                                                QCRYPTO_TLS_CREDS_ENDPOINT_SERVER,
4100                                                errp)) {
4101              goto fail;
4102          }
4103      }
4104      tlsauthz = qemu_opt_get(opts, "tls-authz");
4105      if (tlsauthz && !vd->tlscreds) {
4106          error_setg(errp, "'tls-authz' provided but TLS is not enabled");
4107          goto fail;
4108      }
4109  
4110      saslauthz = qemu_opt_get(opts, "sasl-authz");
4111      if (saslauthz && !sasl) {
4112          error_setg(errp, "'sasl-authz' provided but SASL auth is not enabled");
4113          goto fail;
4114      }
4115  
4116      share = qemu_opt_get(opts, "share");
4117      if (share) {
4118          if (strcmp(share, "ignore") == 0) {
4119              vd->share_policy = VNC_SHARE_POLICY_IGNORE;
4120          } else if (strcmp(share, "allow-exclusive") == 0) {
4121              vd->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
4122          } else if (strcmp(share, "force-shared") == 0) {
4123              vd->share_policy = VNC_SHARE_POLICY_FORCE_SHARED;
4124          } else {
4125              error_setg(errp, "unknown vnc share= option");
4126              goto fail;
4127          }
4128      } else {
4129          vd->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
4130      }
4131      vd->connections_limit = qemu_opt_get_number(opts, "connections", 32);
4132  
4133  #ifdef CONFIG_VNC_JPEG
4134      vd->lossy = qemu_opt_get_bool(opts, "lossy", false);
4135  #endif
4136      vd->non_adaptive = qemu_opt_get_bool(opts, "non-adaptive", false);
4137      /* adaptive updates are only used with tight encoding and
4138       * if lossy updates are enabled so we can disable all the
4139       * calculations otherwise */
4140      if (!vd->lossy) {
4141          vd->non_adaptive = true;
4142      }
4143  
4144      vd->power_control = qemu_opt_get_bool(opts, "power-control", false);
4145  
4146      if (tlsauthz) {
4147          vd->tlsauthzid = g_strdup(tlsauthz);
4148      }
4149  #ifdef CONFIG_VNC_SASL
4150      if (sasl) {
4151          if (saslauthz) {
4152              vd->sasl.authzid = g_strdup(saslauthz);
4153          }
4154      }
4155  #endif
4156  
4157      if (vnc_display_setup_auth(&vd->auth, &vd->subauth,
4158                                 vd->tlscreds, password,
4159                                 sasl, false, errp) < 0) {
4160          goto fail;
4161      }
4162      trace_vnc_auth_init(vd, 0, vd->auth, vd->subauth);
4163  
4164      if (vnc_display_setup_auth(&vd->ws_auth, &vd->ws_subauth,
4165                                 vd->tlscreds, password,
4166                                 sasl, true, errp) < 0) {
4167          goto fail;
4168      }
4169      trace_vnc_auth_init(vd, 1, vd->ws_auth, vd->ws_subauth);
4170  
4171  #ifdef CONFIG_VNC_SASL
4172      if (sasl && !vnc_sasl_server_init(errp)) {
4173          goto fail;
4174      }
4175  #endif
4176      vd->lock_key_sync = lock_key_sync;
4177      if (lock_key_sync) {
4178          vd->led = qemu_add_led_event_handler(kbd_leds, vd);
4179      }
4180      vd->ledstate = 0;
4181  
4182      audiodev = qemu_opt_get(opts, "audiodev");
4183      if (audiodev) {
4184          vd->audio_state = audio_state_by_name(audiodev);
4185          if (!vd->audio_state) {
4186              error_setg(errp, "Audiodev '%s' not found", audiodev);
4187              goto fail;
4188          }
4189      }
4190  
4191      device_id = qemu_opt_get(opts, "display");
4192      if (device_id) {
4193          int head = qemu_opt_get_number(opts, "head", 0);
4194          Error *err = NULL;
4195  
4196          con = qemu_console_lookup_by_device_name(device_id, head, &err);
4197          if (err) {
4198              error_propagate(errp, err);
4199              goto fail;
4200          }
4201      } else {
4202          con = NULL;
4203      }
4204  
4205      if (con != vd->dcl.con) {
4206          qkbd_state_free(vd->kbd);
4207          unregister_displaychangelistener(&vd->dcl);
4208          vd->dcl.con = con;
4209          register_displaychangelistener(&vd->dcl);
4210          vd->kbd = qkbd_state_init(vd->dcl.con);
4211      }
4212      qkbd_state_set_delay(vd->kbd, key_delay_ms);
4213  
4214      if (saddr == NULL) {
4215          goto cleanup;
4216      }
4217  
4218      if (reverse) {
4219          if (vnc_display_connect(vd, saddr, nsaddr, wsaddr, nwsaddr, errp) < 0) {
4220              goto fail;
4221          }
4222      } else {
4223          if (vnc_display_listen(vd, saddr, nsaddr, wsaddr, nwsaddr, errp) < 0) {
4224              goto fail;
4225          }
4226      }
4227  
4228      if (qemu_opt_get(opts, "to")) {
4229          vnc_display_print_local_addr(vd);
4230      }
4231  
4232   cleanup:
4233      vnc_free_addresses(&saddr, &nsaddr);
4234      vnc_free_addresses(&wsaddr, &nwsaddr);
4235      return;
4236  
4237  fail:
4238      vnc_display_close(vd);
4239      goto cleanup;
4240  }
4241  
4242  void vnc_display_add_client(const char *id, int csock, bool skipauth)
4243  {
4244      VncDisplay *vd = vnc_display_find(id);
4245      QIOChannelSocket *sioc;
4246  
4247      if (!vd) {
4248          return;
4249      }
4250  
4251      sioc = qio_channel_socket_new_fd(csock, NULL);
4252      if (sioc) {
4253          qio_channel_set_name(QIO_CHANNEL(sioc), "vnc-server");
4254          vnc_connect(vd, sioc, skipauth, false);
4255          object_unref(OBJECT(sioc));
4256      }
4257  }
4258  
4259  static void vnc_auto_assign_id(QemuOptsList *olist, QemuOpts *opts)
4260  {
4261      int i = 2;
4262      char *id;
4263  
4264      id = g_strdup("default");
4265      while (qemu_opts_find(olist, id)) {
4266          g_free(id);
4267          id = g_strdup_printf("vnc%d", i++);
4268      }
4269      qemu_opts_set_id(opts, id);
4270  }
4271  
4272  void vnc_parse(const char *str)
4273  {
4274      QemuOptsList *olist = qemu_find_opts("vnc");
4275      QemuOpts *opts = qemu_opts_parse_noisily(olist, str, !is_help_option(str));
4276      const char *id;
4277  
4278      if (!opts) {
4279          exit(1);
4280      }
4281  
4282      id = qemu_opts_id(opts);
4283      if (!id) {
4284          /* auto-assign id if not present */
4285          vnc_auto_assign_id(olist, opts);
4286      }
4287  }
4288  
4289  int vnc_init_func(void *opaque, QemuOpts *opts, Error **errp)
4290  {
4291      Error *local_err = NULL;
4292      char *id = (char *)qemu_opts_id(opts);
4293  
4294      assert(id);
4295      vnc_display_init(id, &local_err);
4296      if (local_err) {
4297          error_propagate(errp, local_err);
4298          return -1;
4299      }
4300      vnc_display_open(id, &local_err);
4301      if (local_err != NULL) {
4302          error_propagate(errp, local_err);
4303          return -1;
4304      }
4305      return 0;
4306  }
4307  
4308  static void vnc_register_config(void)
4309  {
4310      qemu_add_opts(&qemu_vnc_opts);
4311  }
4312  opts_init(vnc_register_config);
4313