xref: /openbmc/qemu/ui/vnc.c (revision db725815)
1 /*
2  * QEMU VNC display driver
3  *
4  * Copyright (C) 2006 Anthony Liguori <anthony@codemonkey.ws>
5  * Copyright (C) 2006 Fabrice Bellard
6  * Copyright (C) 2009 Red Hat, Inc
7  *
8  * Permission is hereby granted, free of charge, to any person obtaining a copy
9  * of this software and associated documentation files (the "Software"), to deal
10  * in the Software without restriction, including without limitation the rights
11  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
12  * copies of the Software, and to permit persons to whom the Software is
13  * furnished to do so, subject to the following conditions:
14  *
15  * The above copyright notice and this permission notice shall be included in
16  * all copies or substantial portions of the Software.
17  *
18  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
19  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
20  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
21  * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
22  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
23  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
24  * THE SOFTWARE.
25  */
26 
27 #include "qemu/osdep.h"
28 #include "vnc.h"
29 #include "vnc-jobs.h"
30 #include "trace.h"
31 #include "hw/qdev-core.h"
32 #include "sysemu/sysemu.h"
33 #include "qemu/error-report.h"
34 #include "qemu/main-loop.h"
35 #include "qemu/module.h"
36 #include "qemu/option.h"
37 #include "qemu/sockets.h"
38 #include "qemu/timer.h"
39 #include "authz/list.h"
40 #include "qemu/config-file.h"
41 #include "qapi/qapi-emit-events.h"
42 #include "qapi/qapi-events-ui.h"
43 #include "qapi/error.h"
44 #include "qapi/qapi-commands-ui.h"
45 #include "ui/input.h"
46 #include "crypto/hash.h"
47 #include "crypto/tlscredsanon.h"
48 #include "crypto/tlscredsx509.h"
49 #include "crypto/random.h"
50 #include "qom/object_interfaces.h"
51 #include "qemu/cutils.h"
52 #include "io/dns-resolver.h"
53 
54 #define VNC_REFRESH_INTERVAL_BASE GUI_REFRESH_INTERVAL_DEFAULT
55 #define VNC_REFRESH_INTERVAL_INC  50
56 #define VNC_REFRESH_INTERVAL_MAX  GUI_REFRESH_INTERVAL_IDLE
57 static const struct timeval VNC_REFRESH_STATS = { 0, 500000 };
58 static const struct timeval VNC_REFRESH_LOSSY = { 2, 0 };
59 
60 #include "vnc_keysym.h"
61 #include "crypto/cipher.h"
62 
63 static QTAILQ_HEAD(, VncDisplay) vnc_displays =
64     QTAILQ_HEAD_INITIALIZER(vnc_displays);
65 
66 static int vnc_cursor_define(VncState *vs);
67 static void vnc_update_throttle_offset(VncState *vs);
68 
69 static void vnc_set_share_mode(VncState *vs, VncShareMode mode)
70 {
71 #ifdef _VNC_DEBUG
72     static const char *mn[] = {
73         [0]                           = "undefined",
74         [VNC_SHARE_MODE_CONNECTING]   = "connecting",
75         [VNC_SHARE_MODE_SHARED]       = "shared",
76         [VNC_SHARE_MODE_EXCLUSIVE]    = "exclusive",
77         [VNC_SHARE_MODE_DISCONNECTED] = "disconnected",
78     };
79     fprintf(stderr, "%s/%p: %s -> %s\n", __func__,
80             vs->ioc, mn[vs->share_mode], mn[mode]);
81 #endif
82 
83     switch (vs->share_mode) {
84     case VNC_SHARE_MODE_CONNECTING:
85         vs->vd->num_connecting--;
86         break;
87     case VNC_SHARE_MODE_SHARED:
88         vs->vd->num_shared--;
89         break;
90     case VNC_SHARE_MODE_EXCLUSIVE:
91         vs->vd->num_exclusive--;
92         break;
93     default:
94         break;
95     }
96 
97     vs->share_mode = mode;
98 
99     switch (vs->share_mode) {
100     case VNC_SHARE_MODE_CONNECTING:
101         vs->vd->num_connecting++;
102         break;
103     case VNC_SHARE_MODE_SHARED:
104         vs->vd->num_shared++;
105         break;
106     case VNC_SHARE_MODE_EXCLUSIVE:
107         vs->vd->num_exclusive++;
108         break;
109     default:
110         break;
111     }
112 }
113 
114 
115 static void vnc_init_basic_info(SocketAddress *addr,
116                                 VncBasicInfo *info,
117                                 Error **errp)
118 {
119     switch (addr->type) {
120     case SOCKET_ADDRESS_TYPE_INET:
121         info->host = g_strdup(addr->u.inet.host);
122         info->service = g_strdup(addr->u.inet.port);
123         if (addr->u.inet.ipv6) {
124             info->family = NETWORK_ADDRESS_FAMILY_IPV6;
125         } else {
126             info->family = NETWORK_ADDRESS_FAMILY_IPV4;
127         }
128         break;
129 
130     case SOCKET_ADDRESS_TYPE_UNIX:
131         info->host = g_strdup("");
132         info->service = g_strdup(addr->u.q_unix.path);
133         info->family = NETWORK_ADDRESS_FAMILY_UNIX;
134         break;
135 
136     case SOCKET_ADDRESS_TYPE_VSOCK:
137     case SOCKET_ADDRESS_TYPE_FD:
138         error_setg(errp, "Unsupported socket address type %s",
139                    SocketAddressType_str(addr->type));
140         break;
141     default:
142         abort();
143     }
144 
145     return;
146 }
147 
148 static void vnc_init_basic_info_from_server_addr(QIOChannelSocket *ioc,
149                                                  VncBasicInfo *info,
150                                                  Error **errp)
151 {
152     SocketAddress *addr = NULL;
153 
154     if (!ioc) {
155         error_setg(errp, "No listener socket available");
156         return;
157     }
158 
159     addr = qio_channel_socket_get_local_address(ioc, errp);
160     if (!addr) {
161         return;
162     }
163 
164     vnc_init_basic_info(addr, info, errp);
165     qapi_free_SocketAddress(addr);
166 }
167 
168 static void vnc_init_basic_info_from_remote_addr(QIOChannelSocket *ioc,
169                                                  VncBasicInfo *info,
170                                                  Error **errp)
171 {
172     SocketAddress *addr = NULL;
173 
174     addr = qio_channel_socket_get_remote_address(ioc, errp);
175     if (!addr) {
176         return;
177     }
178 
179     vnc_init_basic_info(addr, info, errp);
180     qapi_free_SocketAddress(addr);
181 }
182 
183 static const char *vnc_auth_name(VncDisplay *vd) {
184     switch (vd->auth) {
185     case VNC_AUTH_INVALID:
186         return "invalid";
187     case VNC_AUTH_NONE:
188         return "none";
189     case VNC_AUTH_VNC:
190         return "vnc";
191     case VNC_AUTH_RA2:
192         return "ra2";
193     case VNC_AUTH_RA2NE:
194         return "ra2ne";
195     case VNC_AUTH_TIGHT:
196         return "tight";
197     case VNC_AUTH_ULTRA:
198         return "ultra";
199     case VNC_AUTH_TLS:
200         return "tls";
201     case VNC_AUTH_VENCRYPT:
202         switch (vd->subauth) {
203         case VNC_AUTH_VENCRYPT_PLAIN:
204             return "vencrypt+plain";
205         case VNC_AUTH_VENCRYPT_TLSNONE:
206             return "vencrypt+tls+none";
207         case VNC_AUTH_VENCRYPT_TLSVNC:
208             return "vencrypt+tls+vnc";
209         case VNC_AUTH_VENCRYPT_TLSPLAIN:
210             return "vencrypt+tls+plain";
211         case VNC_AUTH_VENCRYPT_X509NONE:
212             return "vencrypt+x509+none";
213         case VNC_AUTH_VENCRYPT_X509VNC:
214             return "vencrypt+x509+vnc";
215         case VNC_AUTH_VENCRYPT_X509PLAIN:
216             return "vencrypt+x509+plain";
217         case VNC_AUTH_VENCRYPT_TLSSASL:
218             return "vencrypt+tls+sasl";
219         case VNC_AUTH_VENCRYPT_X509SASL:
220             return "vencrypt+x509+sasl";
221         default:
222             return "vencrypt";
223         }
224     case VNC_AUTH_SASL:
225         return "sasl";
226     }
227     return "unknown";
228 }
229 
230 static VncServerInfo *vnc_server_info_get(VncDisplay *vd)
231 {
232     VncServerInfo *info;
233     Error *err = NULL;
234 
235     if (!vd->listener || !vd->listener->nsioc) {
236         return NULL;
237     }
238 
239     info = g_malloc0(sizeof(*info));
240     vnc_init_basic_info_from_server_addr(vd->listener->sioc[0],
241                                          qapi_VncServerInfo_base(info), &err);
242     info->has_auth = true;
243     info->auth = g_strdup(vnc_auth_name(vd));
244     if (err) {
245         qapi_free_VncServerInfo(info);
246         info = NULL;
247         error_free(err);
248     }
249     return info;
250 }
251 
252 static void vnc_client_cache_auth(VncState *client)
253 {
254     if (!client->info) {
255         return;
256     }
257 
258     if (client->tls) {
259         client->info->x509_dname =
260             qcrypto_tls_session_get_peer_name(client->tls);
261         client->info->has_x509_dname =
262             client->info->x509_dname != NULL;
263     }
264 #ifdef CONFIG_VNC_SASL
265     if (client->sasl.conn &&
266         client->sasl.username) {
267         client->info->has_sasl_username = true;
268         client->info->sasl_username = g_strdup(client->sasl.username);
269     }
270 #endif
271 }
272 
273 static void vnc_client_cache_addr(VncState *client)
274 {
275     Error *err = NULL;
276 
277     client->info = g_malloc0(sizeof(*client->info));
278     vnc_init_basic_info_from_remote_addr(client->sioc,
279                                          qapi_VncClientInfo_base(client->info),
280                                          &err);
281     if (err) {
282         qapi_free_VncClientInfo(client->info);
283         client->info = NULL;
284         error_free(err);
285     }
286 }
287 
288 static void vnc_qmp_event(VncState *vs, QAPIEvent event)
289 {
290     VncServerInfo *si;
291 
292     if (!vs->info) {
293         return;
294     }
295 
296     si = vnc_server_info_get(vs->vd);
297     if (!si) {
298         return;
299     }
300 
301     switch (event) {
302     case QAPI_EVENT_VNC_CONNECTED:
303         qapi_event_send_vnc_connected(si, qapi_VncClientInfo_base(vs->info));
304         break;
305     case QAPI_EVENT_VNC_INITIALIZED:
306         qapi_event_send_vnc_initialized(si, vs->info);
307         break;
308     case QAPI_EVENT_VNC_DISCONNECTED:
309         qapi_event_send_vnc_disconnected(si, vs->info);
310         break;
311     default:
312         break;
313     }
314 
315     qapi_free_VncServerInfo(si);
316 }
317 
318 static VncClientInfo *qmp_query_vnc_client(const VncState *client)
319 {
320     VncClientInfo *info;
321     Error *err = NULL;
322 
323     info = g_malloc0(sizeof(*info));
324 
325     vnc_init_basic_info_from_remote_addr(client->sioc,
326                                          qapi_VncClientInfo_base(info),
327                                          &err);
328     if (err) {
329         error_free(err);
330         qapi_free_VncClientInfo(info);
331         return NULL;
332     }
333 
334     info->websocket = client->websocket;
335 
336     if (client->tls) {
337         info->x509_dname = qcrypto_tls_session_get_peer_name(client->tls);
338         info->has_x509_dname = info->x509_dname != NULL;
339     }
340 #ifdef CONFIG_VNC_SASL
341     if (client->sasl.conn && client->sasl.username) {
342         info->has_sasl_username = true;
343         info->sasl_username = g_strdup(client->sasl.username);
344     }
345 #endif
346 
347     return info;
348 }
349 
350 static VncDisplay *vnc_display_find(const char *id)
351 {
352     VncDisplay *vd;
353 
354     if (id == NULL) {
355         return QTAILQ_FIRST(&vnc_displays);
356     }
357     QTAILQ_FOREACH(vd, &vnc_displays, next) {
358         if (strcmp(id, vd->id) == 0) {
359             return vd;
360         }
361     }
362     return NULL;
363 }
364 
365 static VncClientInfoList *qmp_query_client_list(VncDisplay *vd)
366 {
367     VncClientInfoList *cinfo, *prev = NULL;
368     VncState *client;
369 
370     QTAILQ_FOREACH(client, &vd->clients, next) {
371         cinfo = g_new0(VncClientInfoList, 1);
372         cinfo->value = qmp_query_vnc_client(client);
373         cinfo->next = prev;
374         prev = cinfo;
375     }
376     return prev;
377 }
378 
379 VncInfo *qmp_query_vnc(Error **errp)
380 {
381     VncInfo *info = g_malloc0(sizeof(*info));
382     VncDisplay *vd = vnc_display_find(NULL);
383     SocketAddress *addr = NULL;
384 
385     if (vd == NULL || !vd->listener || !vd->listener->nsioc) {
386         info->enabled = false;
387     } else {
388         info->enabled = true;
389 
390         /* for compatibility with the original command */
391         info->has_clients = true;
392         info->clients = qmp_query_client_list(vd);
393 
394         addr = qio_channel_socket_get_local_address(vd->listener->sioc[0],
395                                                     errp);
396         if (!addr) {
397             goto out_error;
398         }
399 
400         switch (addr->type) {
401         case SOCKET_ADDRESS_TYPE_INET:
402             info->host = g_strdup(addr->u.inet.host);
403             info->service = g_strdup(addr->u.inet.port);
404             if (addr->u.inet.ipv6) {
405                 info->family = NETWORK_ADDRESS_FAMILY_IPV6;
406             } else {
407                 info->family = NETWORK_ADDRESS_FAMILY_IPV4;
408             }
409             break;
410 
411         case SOCKET_ADDRESS_TYPE_UNIX:
412             info->host = g_strdup("");
413             info->service = g_strdup(addr->u.q_unix.path);
414             info->family = NETWORK_ADDRESS_FAMILY_UNIX;
415             break;
416 
417         case SOCKET_ADDRESS_TYPE_VSOCK:
418         case SOCKET_ADDRESS_TYPE_FD:
419             error_setg(errp, "Unsupported socket address type %s",
420                        SocketAddressType_str(addr->type));
421             goto out_error;
422         default:
423             abort();
424         }
425 
426         info->has_host = true;
427         info->has_service = true;
428         info->has_family = true;
429 
430         info->has_auth = true;
431         info->auth = g_strdup(vnc_auth_name(vd));
432     }
433 
434     qapi_free_SocketAddress(addr);
435     return info;
436 
437 out_error:
438     qapi_free_SocketAddress(addr);
439     qapi_free_VncInfo(info);
440     return NULL;
441 }
442 
443 
444 static void qmp_query_auth(int auth, int subauth,
445                            VncPrimaryAuth *qmp_auth,
446                            VncVencryptSubAuth *qmp_vencrypt,
447                            bool *qmp_has_vencrypt);
448 
449 static VncServerInfo2List *qmp_query_server_entry(QIOChannelSocket *ioc,
450                                                   bool websocket,
451                                                   int auth,
452                                                   int subauth,
453                                                   VncServerInfo2List *prev)
454 {
455     VncServerInfo2List *list;
456     VncServerInfo2 *info;
457     Error *err = NULL;
458     SocketAddress *addr;
459 
460     addr = qio_channel_socket_get_local_address(ioc, &err);
461     if (!addr) {
462         error_free(err);
463         return prev;
464     }
465 
466     info = g_new0(VncServerInfo2, 1);
467     vnc_init_basic_info(addr, qapi_VncServerInfo2_base(info), &err);
468     qapi_free_SocketAddress(addr);
469     if (err) {
470         qapi_free_VncServerInfo2(info);
471         error_free(err);
472         return prev;
473     }
474     info->websocket = websocket;
475 
476     qmp_query_auth(auth, subauth, &info->auth,
477                    &info->vencrypt, &info->has_vencrypt);
478 
479     list = g_new0(VncServerInfo2List, 1);
480     list->value = info;
481     list->next = prev;
482     return list;
483 }
484 
485 static void qmp_query_auth(int auth, int subauth,
486                            VncPrimaryAuth *qmp_auth,
487                            VncVencryptSubAuth *qmp_vencrypt,
488                            bool *qmp_has_vencrypt)
489 {
490     switch (auth) {
491     case VNC_AUTH_VNC:
492         *qmp_auth = VNC_PRIMARY_AUTH_VNC;
493         break;
494     case VNC_AUTH_RA2:
495         *qmp_auth = VNC_PRIMARY_AUTH_RA2;
496         break;
497     case VNC_AUTH_RA2NE:
498         *qmp_auth = VNC_PRIMARY_AUTH_RA2NE;
499         break;
500     case VNC_AUTH_TIGHT:
501         *qmp_auth = VNC_PRIMARY_AUTH_TIGHT;
502         break;
503     case VNC_AUTH_ULTRA:
504         *qmp_auth = VNC_PRIMARY_AUTH_ULTRA;
505         break;
506     case VNC_AUTH_TLS:
507         *qmp_auth = VNC_PRIMARY_AUTH_TLS;
508         break;
509     case VNC_AUTH_VENCRYPT:
510         *qmp_auth = VNC_PRIMARY_AUTH_VENCRYPT;
511         *qmp_has_vencrypt = true;
512         switch (subauth) {
513         case VNC_AUTH_VENCRYPT_PLAIN:
514             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_PLAIN;
515             break;
516         case VNC_AUTH_VENCRYPT_TLSNONE:
517             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_NONE;
518             break;
519         case VNC_AUTH_VENCRYPT_TLSVNC:
520             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_VNC;
521             break;
522         case VNC_AUTH_VENCRYPT_TLSPLAIN:
523             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_PLAIN;
524             break;
525         case VNC_AUTH_VENCRYPT_X509NONE:
526             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_NONE;
527             break;
528         case VNC_AUTH_VENCRYPT_X509VNC:
529             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_VNC;
530             break;
531         case VNC_AUTH_VENCRYPT_X509PLAIN:
532             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_PLAIN;
533             break;
534         case VNC_AUTH_VENCRYPT_TLSSASL:
535             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_SASL;
536             break;
537         case VNC_AUTH_VENCRYPT_X509SASL:
538             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_SASL;
539             break;
540         default:
541             *qmp_has_vencrypt = false;
542             break;
543         }
544         break;
545     case VNC_AUTH_SASL:
546         *qmp_auth = VNC_PRIMARY_AUTH_SASL;
547         break;
548     case VNC_AUTH_NONE:
549     default:
550         *qmp_auth = VNC_PRIMARY_AUTH_NONE;
551         break;
552     }
553 }
554 
555 VncInfo2List *qmp_query_vnc_servers(Error **errp)
556 {
557     VncInfo2List *item, *prev = NULL;
558     VncInfo2 *info;
559     VncDisplay *vd;
560     DeviceState *dev;
561     size_t i;
562 
563     QTAILQ_FOREACH(vd, &vnc_displays, next) {
564         info = g_new0(VncInfo2, 1);
565         info->id = g_strdup(vd->id);
566         info->clients = qmp_query_client_list(vd);
567         qmp_query_auth(vd->auth, vd->subauth, &info->auth,
568                        &info->vencrypt, &info->has_vencrypt);
569         if (vd->dcl.con) {
570             dev = DEVICE(object_property_get_link(OBJECT(vd->dcl.con),
571                                                   "device", NULL));
572             info->has_display = true;
573             info->display = g_strdup(dev->id);
574         }
575         for (i = 0; vd->listener != NULL && i < vd->listener->nsioc; i++) {
576             info->server = qmp_query_server_entry(
577                 vd->listener->sioc[i], false, vd->auth, vd->subauth,
578                 info->server);
579         }
580         for (i = 0; vd->wslistener != NULL && i < vd->wslistener->nsioc; i++) {
581             info->server = qmp_query_server_entry(
582                 vd->wslistener->sioc[i], true, vd->ws_auth,
583                 vd->ws_subauth, info->server);
584         }
585 
586         item = g_new0(VncInfo2List, 1);
587         item->value = info;
588         item->next = prev;
589         prev = item;
590     }
591     return prev;
592 }
593 
594 /* TODO
595    1) Get the queue working for IO.
596    2) there is some weirdness when using the -S option (the screen is grey
597       and not totally invalidated
598    3) resolutions > 1024
599 */
600 
601 static int vnc_update_client(VncState *vs, int has_dirty);
602 static void vnc_disconnect_start(VncState *vs);
603 
604 static void vnc_colordepth(VncState *vs);
605 static void framebuffer_update_request(VncState *vs, int incremental,
606                                        int x_position, int y_position,
607                                        int w, int h);
608 static void vnc_refresh(DisplayChangeListener *dcl);
609 static int vnc_refresh_server_surface(VncDisplay *vd);
610 
611 static int vnc_width(VncDisplay *vd)
612 {
613     return MIN(VNC_MAX_WIDTH, ROUND_UP(surface_width(vd->ds),
614                                        VNC_DIRTY_PIXELS_PER_BIT));
615 }
616 
617 static int vnc_height(VncDisplay *vd)
618 {
619     return MIN(VNC_MAX_HEIGHT, surface_height(vd->ds));
620 }
621 
622 static void vnc_set_area_dirty(DECLARE_BITMAP(dirty[VNC_MAX_HEIGHT],
623                                VNC_MAX_WIDTH / VNC_DIRTY_PIXELS_PER_BIT),
624                                VncDisplay *vd,
625                                int x, int y, int w, int h)
626 {
627     int width = vnc_width(vd);
628     int height = vnc_height(vd);
629 
630     /* this is needed this to ensure we updated all affected
631      * blocks if x % VNC_DIRTY_PIXELS_PER_BIT != 0 */
632     w += (x % VNC_DIRTY_PIXELS_PER_BIT);
633     x -= (x % VNC_DIRTY_PIXELS_PER_BIT);
634 
635     x = MIN(x, width);
636     y = MIN(y, height);
637     w = MIN(x + w, width) - x;
638     h = MIN(y + h, height);
639 
640     for (; y < h; y++) {
641         bitmap_set(dirty[y], x / VNC_DIRTY_PIXELS_PER_BIT,
642                    DIV_ROUND_UP(w, VNC_DIRTY_PIXELS_PER_BIT));
643     }
644 }
645 
646 static void vnc_dpy_update(DisplayChangeListener *dcl,
647                            int x, int y, int w, int h)
648 {
649     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
650     struct VncSurface *s = &vd->guest;
651 
652     vnc_set_area_dirty(s->dirty, vd, x, y, w, h);
653 }
654 
655 void vnc_framebuffer_update(VncState *vs, int x, int y, int w, int h,
656                             int32_t encoding)
657 {
658     vnc_write_u16(vs, x);
659     vnc_write_u16(vs, y);
660     vnc_write_u16(vs, w);
661     vnc_write_u16(vs, h);
662 
663     vnc_write_s32(vs, encoding);
664 }
665 
666 
667 static void vnc_desktop_resize(VncState *vs)
668 {
669     if (vs->ioc == NULL || !vnc_has_feature(vs, VNC_FEATURE_RESIZE)) {
670         return;
671     }
672     if (vs->client_width == pixman_image_get_width(vs->vd->server) &&
673         vs->client_height == pixman_image_get_height(vs->vd->server)) {
674         return;
675     }
676 
677     assert(pixman_image_get_width(vs->vd->server) < 65536 &&
678            pixman_image_get_width(vs->vd->server) >= 0);
679     assert(pixman_image_get_height(vs->vd->server) < 65536 &&
680            pixman_image_get_height(vs->vd->server) >= 0);
681     vs->client_width = pixman_image_get_width(vs->vd->server);
682     vs->client_height = pixman_image_get_height(vs->vd->server);
683     vnc_lock_output(vs);
684     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
685     vnc_write_u8(vs, 0);
686     vnc_write_u16(vs, 1); /* number of rects */
687     vnc_framebuffer_update(vs, 0, 0, vs->client_width, vs->client_height,
688                            VNC_ENCODING_DESKTOPRESIZE);
689     vnc_unlock_output(vs);
690     vnc_flush(vs);
691 }
692 
693 static void vnc_abort_display_jobs(VncDisplay *vd)
694 {
695     VncState *vs;
696 
697     QTAILQ_FOREACH(vs, &vd->clients, next) {
698         vnc_lock_output(vs);
699         vs->abort = true;
700         vnc_unlock_output(vs);
701     }
702     QTAILQ_FOREACH(vs, &vd->clients, next) {
703         vnc_jobs_join(vs);
704     }
705     QTAILQ_FOREACH(vs, &vd->clients, next) {
706         vnc_lock_output(vs);
707         if (vs->update == VNC_STATE_UPDATE_NONE &&
708             vs->job_update != VNC_STATE_UPDATE_NONE) {
709             /* job aborted before completion */
710             vs->update = vs->job_update;
711             vs->job_update = VNC_STATE_UPDATE_NONE;
712         }
713         vs->abort = false;
714         vnc_unlock_output(vs);
715     }
716 }
717 
718 int vnc_server_fb_stride(VncDisplay *vd)
719 {
720     return pixman_image_get_stride(vd->server);
721 }
722 
723 void *vnc_server_fb_ptr(VncDisplay *vd, int x, int y)
724 {
725     uint8_t *ptr;
726 
727     ptr  = (uint8_t *)pixman_image_get_data(vd->server);
728     ptr += y * vnc_server_fb_stride(vd);
729     ptr += x * VNC_SERVER_FB_BYTES;
730     return ptr;
731 }
732 
733 static void vnc_update_server_surface(VncDisplay *vd)
734 {
735     int width, height;
736 
737     qemu_pixman_image_unref(vd->server);
738     vd->server = NULL;
739 
740     if (QTAILQ_EMPTY(&vd->clients)) {
741         return;
742     }
743 
744     width = vnc_width(vd);
745     height = vnc_height(vd);
746     vd->server = pixman_image_create_bits(VNC_SERVER_FB_FORMAT,
747                                           width, height,
748                                           NULL, 0);
749 
750     memset(vd->guest.dirty, 0x00, sizeof(vd->guest.dirty));
751     vnc_set_area_dirty(vd->guest.dirty, vd, 0, 0,
752                        width, height);
753 }
754 
755 static bool vnc_check_pageflip(DisplaySurface *s1,
756                                DisplaySurface *s2)
757 {
758     return (s1 != NULL &&
759             s2 != NULL &&
760             surface_width(s1) == surface_width(s2) &&
761             surface_height(s1) == surface_height(s2) &&
762             surface_format(s1) == surface_format(s2));
763 
764 }
765 
766 static void vnc_dpy_switch(DisplayChangeListener *dcl,
767                            DisplaySurface *surface)
768 {
769     static const char placeholder_msg[] =
770         "Display output is not active.";
771     static DisplaySurface *placeholder;
772     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
773     bool pageflip = vnc_check_pageflip(vd->ds, surface);
774     VncState *vs;
775 
776     if (surface == NULL) {
777         if (placeholder == NULL) {
778             placeholder = qemu_create_message_surface(640, 480, placeholder_msg);
779         }
780         surface = placeholder;
781     }
782 
783     vnc_abort_display_jobs(vd);
784     vd->ds = surface;
785 
786     /* guest surface */
787     qemu_pixman_image_unref(vd->guest.fb);
788     vd->guest.fb = pixman_image_ref(surface->image);
789     vd->guest.format = surface->format;
790 
791     if (pageflip) {
792         vnc_set_area_dirty(vd->guest.dirty, vd, 0, 0,
793                            surface_width(surface),
794                            surface_height(surface));
795         return;
796     }
797 
798     /* server surface */
799     vnc_update_server_surface(vd);
800 
801     QTAILQ_FOREACH(vs, &vd->clients, next) {
802         vnc_colordepth(vs);
803         vnc_desktop_resize(vs);
804         if (vs->vd->cursor) {
805             vnc_cursor_define(vs);
806         }
807         memset(vs->dirty, 0x00, sizeof(vs->dirty));
808         vnc_set_area_dirty(vs->dirty, vd, 0, 0,
809                            vnc_width(vd),
810                            vnc_height(vd));
811         vnc_update_throttle_offset(vs);
812     }
813 }
814 
815 /* fastest code */
816 static void vnc_write_pixels_copy(VncState *vs,
817                                   void *pixels, int size)
818 {
819     vnc_write(vs, pixels, size);
820 }
821 
822 /* slowest but generic code. */
823 void vnc_convert_pixel(VncState *vs, uint8_t *buf, uint32_t v)
824 {
825     uint8_t r, g, b;
826 
827 #if VNC_SERVER_FB_FORMAT == PIXMAN_FORMAT(32, PIXMAN_TYPE_ARGB, 0, 8, 8, 8)
828     r = (((v & 0x00ff0000) >> 16) << vs->client_pf.rbits) >> 8;
829     g = (((v & 0x0000ff00) >>  8) << vs->client_pf.gbits) >> 8;
830     b = (((v & 0x000000ff) >>  0) << vs->client_pf.bbits) >> 8;
831 #else
832 # error need some bits here if you change VNC_SERVER_FB_FORMAT
833 #endif
834     v = (r << vs->client_pf.rshift) |
835         (g << vs->client_pf.gshift) |
836         (b << vs->client_pf.bshift);
837     switch (vs->client_pf.bytes_per_pixel) {
838     case 1:
839         buf[0] = v;
840         break;
841     case 2:
842         if (vs->client_be) {
843             buf[0] = v >> 8;
844             buf[1] = v;
845         } else {
846             buf[1] = v >> 8;
847             buf[0] = v;
848         }
849         break;
850     default:
851     case 4:
852         if (vs->client_be) {
853             buf[0] = v >> 24;
854             buf[1] = v >> 16;
855             buf[2] = v >> 8;
856             buf[3] = v;
857         } else {
858             buf[3] = v >> 24;
859             buf[2] = v >> 16;
860             buf[1] = v >> 8;
861             buf[0] = v;
862         }
863         break;
864     }
865 }
866 
867 static void vnc_write_pixels_generic(VncState *vs,
868                                      void *pixels1, int size)
869 {
870     uint8_t buf[4];
871 
872     if (VNC_SERVER_FB_BYTES == 4) {
873         uint32_t *pixels = pixels1;
874         int n, i;
875         n = size >> 2;
876         for (i = 0; i < n; i++) {
877             vnc_convert_pixel(vs, buf, pixels[i]);
878             vnc_write(vs, buf, vs->client_pf.bytes_per_pixel);
879         }
880     }
881 }
882 
883 int vnc_raw_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
884 {
885     int i;
886     uint8_t *row;
887     VncDisplay *vd = vs->vd;
888 
889     row = vnc_server_fb_ptr(vd, x, y);
890     for (i = 0; i < h; i++) {
891         vs->write_pixels(vs, row, w * VNC_SERVER_FB_BYTES);
892         row += vnc_server_fb_stride(vd);
893     }
894     return 1;
895 }
896 
897 int vnc_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
898 {
899     int n = 0;
900     bool encode_raw = false;
901     size_t saved_offs = vs->output.offset;
902 
903     switch(vs->vnc_encoding) {
904         case VNC_ENCODING_ZLIB:
905             n = vnc_zlib_send_framebuffer_update(vs, x, y, w, h);
906             break;
907         case VNC_ENCODING_HEXTILE:
908             vnc_framebuffer_update(vs, x, y, w, h, VNC_ENCODING_HEXTILE);
909             n = vnc_hextile_send_framebuffer_update(vs, x, y, w, h);
910             break;
911         case VNC_ENCODING_TIGHT:
912             n = vnc_tight_send_framebuffer_update(vs, x, y, w, h);
913             break;
914         case VNC_ENCODING_TIGHT_PNG:
915             n = vnc_tight_png_send_framebuffer_update(vs, x, y, w, h);
916             break;
917         case VNC_ENCODING_ZRLE:
918             n = vnc_zrle_send_framebuffer_update(vs, x, y, w, h);
919             break;
920         case VNC_ENCODING_ZYWRLE:
921             n = vnc_zywrle_send_framebuffer_update(vs, x, y, w, h);
922             break;
923         default:
924             encode_raw = true;
925             break;
926     }
927 
928     /* If the client has the same pixel format as our internal buffer and
929      * a RAW encoding would need less space fall back to RAW encoding to
930      * save bandwidth and processing power in the client. */
931     if (!encode_raw && vs->write_pixels == vnc_write_pixels_copy &&
932         12 + h * w * VNC_SERVER_FB_BYTES <= (vs->output.offset - saved_offs)) {
933         vs->output.offset = saved_offs;
934         encode_raw = true;
935     }
936 
937     if (encode_raw) {
938         vnc_framebuffer_update(vs, x, y, w, h, VNC_ENCODING_RAW);
939         n = vnc_raw_send_framebuffer_update(vs, x, y, w, h);
940     }
941 
942     return n;
943 }
944 
945 static void vnc_mouse_set(DisplayChangeListener *dcl,
946                           int x, int y, int visible)
947 {
948     /* can we ask the client(s) to move the pointer ??? */
949 }
950 
951 static int vnc_cursor_define(VncState *vs)
952 {
953     QEMUCursor *c = vs->vd->cursor;
954     int isize;
955 
956     if (vnc_has_feature(vs, VNC_FEATURE_RICH_CURSOR)) {
957         vnc_lock_output(vs);
958         vnc_write_u8(vs,  VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
959         vnc_write_u8(vs,  0);  /*  padding     */
960         vnc_write_u16(vs, 1);  /*  # of rects  */
961         vnc_framebuffer_update(vs, c->hot_x, c->hot_y, c->width, c->height,
962                                VNC_ENCODING_RICH_CURSOR);
963         isize = c->width * c->height * vs->client_pf.bytes_per_pixel;
964         vnc_write_pixels_generic(vs, c->data, isize);
965         vnc_write(vs, vs->vd->cursor_mask, vs->vd->cursor_msize);
966         vnc_unlock_output(vs);
967         return 0;
968     }
969     return -1;
970 }
971 
972 static void vnc_dpy_cursor_define(DisplayChangeListener *dcl,
973                                   QEMUCursor *c)
974 {
975     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
976     VncState *vs;
977 
978     cursor_put(vd->cursor);
979     g_free(vd->cursor_mask);
980 
981     vd->cursor = c;
982     cursor_get(vd->cursor);
983     vd->cursor_msize = cursor_get_mono_bpl(c) * c->height;
984     vd->cursor_mask = g_malloc0(vd->cursor_msize);
985     cursor_get_mono_mask(c, 0, vd->cursor_mask);
986 
987     QTAILQ_FOREACH(vs, &vd->clients, next) {
988         vnc_cursor_define(vs);
989     }
990 }
991 
992 static int find_and_clear_dirty_height(VncState *vs,
993                                        int y, int last_x, int x, int height)
994 {
995     int h;
996 
997     for (h = 1; h < (height - y); h++) {
998         if (!test_bit(last_x, vs->dirty[y + h])) {
999             break;
1000         }
1001         bitmap_clear(vs->dirty[y + h], last_x, x - last_x);
1002     }
1003 
1004     return h;
1005 }
1006 
1007 /*
1008  * Figure out how much pending data we should allow in the output
1009  * buffer before we throttle incremental display updates, and/or
1010  * drop audio samples.
1011  *
1012  * We allow for equiv of 1 full display's worth of FB updates,
1013  * and 1 second of audio samples. If audio backlog was larger
1014  * than that the client would already suffering awful audio
1015  * glitches, so dropping samples is no worse really).
1016  */
1017 static void vnc_update_throttle_offset(VncState *vs)
1018 {
1019     size_t offset =
1020         vs->client_width * vs->client_height * vs->client_pf.bytes_per_pixel;
1021 
1022     if (vs->audio_cap) {
1023         int bps;
1024         switch (vs->as.fmt) {
1025         default:
1026         case  AUDIO_FORMAT_U8:
1027         case  AUDIO_FORMAT_S8:
1028             bps = 1;
1029             break;
1030         case  AUDIO_FORMAT_U16:
1031         case  AUDIO_FORMAT_S16:
1032             bps = 2;
1033             break;
1034         case  AUDIO_FORMAT_U32:
1035         case  AUDIO_FORMAT_S32:
1036             bps = 4;
1037             break;
1038         }
1039         offset += vs->as.freq * bps * vs->as.nchannels;
1040     }
1041 
1042     /* Put a floor of 1MB on offset, so that if we have a large pending
1043      * buffer and the display is resized to a small size & back again
1044      * we don't suddenly apply a tiny send limit
1045      */
1046     offset = MAX(offset, 1024 * 1024);
1047 
1048     if (vs->throttle_output_offset != offset) {
1049         trace_vnc_client_throttle_threshold(
1050             vs, vs->ioc, vs->throttle_output_offset, offset, vs->client_width,
1051             vs->client_height, vs->client_pf.bytes_per_pixel, vs->audio_cap);
1052     }
1053 
1054     vs->throttle_output_offset = offset;
1055 }
1056 
1057 static bool vnc_should_update(VncState *vs)
1058 {
1059     switch (vs->update) {
1060     case VNC_STATE_UPDATE_NONE:
1061         break;
1062     case VNC_STATE_UPDATE_INCREMENTAL:
1063         /* Only allow incremental updates if the pending send queue
1064          * is less than the permitted threshold, and the job worker
1065          * is completely idle.
1066          */
1067         if (vs->output.offset < vs->throttle_output_offset &&
1068             vs->job_update == VNC_STATE_UPDATE_NONE) {
1069             return true;
1070         }
1071         trace_vnc_client_throttle_incremental(
1072             vs, vs->ioc, vs->job_update, vs->output.offset);
1073         break;
1074     case VNC_STATE_UPDATE_FORCE:
1075         /* Only allow forced updates if the pending send queue
1076          * does not contain a previous forced update, and the
1077          * job worker is completely idle.
1078          *
1079          * Note this means we'll queue a forced update, even if
1080          * the output buffer size is otherwise over the throttle
1081          * output limit.
1082          */
1083         if (vs->force_update_offset == 0 &&
1084             vs->job_update == VNC_STATE_UPDATE_NONE) {
1085             return true;
1086         }
1087         trace_vnc_client_throttle_forced(
1088             vs, vs->ioc, vs->job_update, vs->force_update_offset);
1089         break;
1090     }
1091     return false;
1092 }
1093 
1094 static int vnc_update_client(VncState *vs, int has_dirty)
1095 {
1096     VncDisplay *vd = vs->vd;
1097     VncJob *job;
1098     int y;
1099     int height, width;
1100     int n = 0;
1101 
1102     if (vs->disconnecting) {
1103         vnc_disconnect_finish(vs);
1104         return 0;
1105     }
1106 
1107     vs->has_dirty += has_dirty;
1108     if (!vnc_should_update(vs)) {
1109         return 0;
1110     }
1111 
1112     if (!vs->has_dirty && vs->update != VNC_STATE_UPDATE_FORCE) {
1113         return 0;
1114     }
1115 
1116     /*
1117      * Send screen updates to the vnc client using the server
1118      * surface and server dirty map.  guest surface updates
1119      * happening in parallel don't disturb us, the next pass will
1120      * send them to the client.
1121      */
1122     job = vnc_job_new(vs);
1123 
1124     height = pixman_image_get_height(vd->server);
1125     width = pixman_image_get_width(vd->server);
1126 
1127     y = 0;
1128     for (;;) {
1129         int x, h;
1130         unsigned long x2;
1131         unsigned long offset = find_next_bit((unsigned long *) &vs->dirty,
1132                                              height * VNC_DIRTY_BPL(vs),
1133                                              y * VNC_DIRTY_BPL(vs));
1134         if (offset == height * VNC_DIRTY_BPL(vs)) {
1135             /* no more dirty bits */
1136             break;
1137         }
1138         y = offset / VNC_DIRTY_BPL(vs);
1139         x = offset % VNC_DIRTY_BPL(vs);
1140         x2 = find_next_zero_bit((unsigned long *) &vs->dirty[y],
1141                                 VNC_DIRTY_BPL(vs), x);
1142         bitmap_clear(vs->dirty[y], x, x2 - x);
1143         h = find_and_clear_dirty_height(vs, y, x, x2, height);
1144         x2 = MIN(x2, width / VNC_DIRTY_PIXELS_PER_BIT);
1145         if (x2 > x) {
1146             n += vnc_job_add_rect(job, x * VNC_DIRTY_PIXELS_PER_BIT, y,
1147                                   (x2 - x) * VNC_DIRTY_PIXELS_PER_BIT, h);
1148         }
1149         if (!x && x2 == width / VNC_DIRTY_PIXELS_PER_BIT) {
1150             y += h;
1151             if (y == height) {
1152                 break;
1153             }
1154         }
1155     }
1156 
1157     vs->job_update = vs->update;
1158     vs->update = VNC_STATE_UPDATE_NONE;
1159     vnc_job_push(job);
1160     vs->has_dirty = 0;
1161     return n;
1162 }
1163 
1164 /* audio */
1165 static void audio_capture_notify(void *opaque, audcnotification_e cmd)
1166 {
1167     VncState *vs = opaque;
1168 
1169     assert(vs->magic == VNC_MAGIC);
1170     switch (cmd) {
1171     case AUD_CNOTIFY_DISABLE:
1172         vnc_lock_output(vs);
1173         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
1174         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
1175         vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_END);
1176         vnc_unlock_output(vs);
1177         vnc_flush(vs);
1178         break;
1179 
1180     case AUD_CNOTIFY_ENABLE:
1181         vnc_lock_output(vs);
1182         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
1183         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
1184         vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_BEGIN);
1185         vnc_unlock_output(vs);
1186         vnc_flush(vs);
1187         break;
1188     }
1189 }
1190 
1191 static void audio_capture_destroy(void *opaque)
1192 {
1193 }
1194 
1195 static void audio_capture(void *opaque, void *buf, int size)
1196 {
1197     VncState *vs = opaque;
1198 
1199     assert(vs->magic == VNC_MAGIC);
1200     vnc_lock_output(vs);
1201     if (vs->output.offset < vs->throttle_output_offset) {
1202         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
1203         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
1204         vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_DATA);
1205         vnc_write_u32(vs, size);
1206         vnc_write(vs, buf, size);
1207     } else {
1208         trace_vnc_client_throttle_audio(vs, vs->ioc, vs->output.offset);
1209     }
1210     vnc_unlock_output(vs);
1211     vnc_flush(vs);
1212 }
1213 
1214 static void audio_add(VncState *vs)
1215 {
1216     struct audio_capture_ops ops;
1217 
1218     if (vs->audio_cap) {
1219         error_report("audio already running");
1220         return;
1221     }
1222 
1223     ops.notify = audio_capture_notify;
1224     ops.destroy = audio_capture_destroy;
1225     ops.capture = audio_capture;
1226 
1227     vs->audio_cap = AUD_add_capture(&vs->as, &ops, vs);
1228     if (!vs->audio_cap) {
1229         error_report("Failed to add audio capture");
1230     }
1231 }
1232 
1233 static void audio_del(VncState *vs)
1234 {
1235     if (vs->audio_cap) {
1236         AUD_del_capture(vs->audio_cap, vs);
1237         vs->audio_cap = NULL;
1238     }
1239 }
1240 
1241 static void vnc_disconnect_start(VncState *vs)
1242 {
1243     if (vs->disconnecting) {
1244         return;
1245     }
1246     trace_vnc_client_disconnect_start(vs, vs->ioc);
1247     vnc_set_share_mode(vs, VNC_SHARE_MODE_DISCONNECTED);
1248     if (vs->ioc_tag) {
1249         g_source_remove(vs->ioc_tag);
1250         vs->ioc_tag = 0;
1251     }
1252     qio_channel_close(vs->ioc, NULL);
1253     vs->disconnecting = TRUE;
1254 }
1255 
1256 void vnc_disconnect_finish(VncState *vs)
1257 {
1258     int i;
1259 
1260     trace_vnc_client_disconnect_finish(vs, vs->ioc);
1261 
1262     vnc_jobs_join(vs); /* Wait encoding jobs */
1263 
1264     vnc_lock_output(vs);
1265     vnc_qmp_event(vs, QAPI_EVENT_VNC_DISCONNECTED);
1266 
1267     buffer_free(&vs->input);
1268     buffer_free(&vs->output);
1269 
1270     qapi_free_VncClientInfo(vs->info);
1271 
1272     vnc_zlib_clear(vs);
1273     vnc_tight_clear(vs);
1274     vnc_zrle_clear(vs);
1275 
1276 #ifdef CONFIG_VNC_SASL
1277     vnc_sasl_client_cleanup(vs);
1278 #endif /* CONFIG_VNC_SASL */
1279     audio_del(vs);
1280     qkbd_state_lift_all_keys(vs->vd->kbd);
1281 
1282     if (vs->mouse_mode_notifier.notify != NULL) {
1283         qemu_remove_mouse_mode_change_notifier(&vs->mouse_mode_notifier);
1284     }
1285     QTAILQ_REMOVE(&vs->vd->clients, vs, next);
1286     if (QTAILQ_EMPTY(&vs->vd->clients)) {
1287         /* last client gone */
1288         vnc_update_server_surface(vs->vd);
1289     }
1290 
1291     vnc_unlock_output(vs);
1292 
1293     qemu_mutex_destroy(&vs->output_mutex);
1294     if (vs->bh != NULL) {
1295         qemu_bh_delete(vs->bh);
1296     }
1297     buffer_free(&vs->jobs_buffer);
1298 
1299     for (i = 0; i < VNC_STAT_ROWS; ++i) {
1300         g_free(vs->lossy_rect[i]);
1301     }
1302     g_free(vs->lossy_rect);
1303 
1304     object_unref(OBJECT(vs->ioc));
1305     vs->ioc = NULL;
1306     object_unref(OBJECT(vs->sioc));
1307     vs->sioc = NULL;
1308     vs->magic = 0;
1309     g_free(vs);
1310 }
1311 
1312 size_t vnc_client_io_error(VncState *vs, ssize_t ret, Error **errp)
1313 {
1314     if (ret <= 0) {
1315         if (ret == 0) {
1316             trace_vnc_client_eof(vs, vs->ioc);
1317             vnc_disconnect_start(vs);
1318         } else if (ret != QIO_CHANNEL_ERR_BLOCK) {
1319             trace_vnc_client_io_error(vs, vs->ioc,
1320                                       errp ? error_get_pretty(*errp) :
1321                                       "Unknown");
1322             vnc_disconnect_start(vs);
1323         }
1324 
1325         if (errp) {
1326             error_free(*errp);
1327             *errp = NULL;
1328         }
1329         return 0;
1330     }
1331     return ret;
1332 }
1333 
1334 
1335 void vnc_client_error(VncState *vs)
1336 {
1337     VNC_DEBUG("Closing down client sock: protocol error\n");
1338     vnc_disconnect_start(vs);
1339 }
1340 
1341 
1342 /*
1343  * Called to write a chunk of data to the client socket. The data may
1344  * be the raw data, or may have already been encoded by SASL.
1345  * The data will be written either straight onto the socket, or
1346  * written via the GNUTLS wrappers, if TLS/SSL encryption is enabled
1347  *
1348  * NB, it is theoretically possible to have 2 layers of encryption,
1349  * both SASL, and this TLS layer. It is highly unlikely in practice
1350  * though, since SASL encryption will typically be a no-op if TLS
1351  * is active
1352  *
1353  * Returns the number of bytes written, which may be less than
1354  * the requested 'datalen' if the socket would block. Returns
1355  * 0 on I/O error, and disconnects the client socket.
1356  */
1357 size_t vnc_client_write_buf(VncState *vs, const uint8_t *data, size_t datalen)
1358 {
1359     Error *err = NULL;
1360     ssize_t ret;
1361     ret = qio_channel_write(
1362         vs->ioc, (const char *)data, datalen, &err);
1363     VNC_DEBUG("Wrote wire %p %zd -> %ld\n", data, datalen, ret);
1364     return vnc_client_io_error(vs, ret, &err);
1365 }
1366 
1367 
1368 /*
1369  * Called to write buffered data to the client socket, when not
1370  * using any SASL SSF encryption layers. Will write as much data
1371  * as possible without blocking. If all buffered data is written,
1372  * will switch the FD poll() handler back to read monitoring.
1373  *
1374  * Returns the number of bytes written, which may be less than
1375  * the buffered output data if the socket would block.  Returns
1376  * 0 on I/O error, and disconnects the client socket.
1377  */
1378 static size_t vnc_client_write_plain(VncState *vs)
1379 {
1380     size_t offset;
1381     size_t ret;
1382 
1383 #ifdef CONFIG_VNC_SASL
1384     VNC_DEBUG("Write Plain: Pending output %p size %zd offset %zd. Wait SSF %d\n",
1385               vs->output.buffer, vs->output.capacity, vs->output.offset,
1386               vs->sasl.waitWriteSSF);
1387 
1388     if (vs->sasl.conn &&
1389         vs->sasl.runSSF &&
1390         vs->sasl.waitWriteSSF) {
1391         ret = vnc_client_write_buf(vs, vs->output.buffer, vs->sasl.waitWriteSSF);
1392         if (ret)
1393             vs->sasl.waitWriteSSF -= ret;
1394     } else
1395 #endif /* CONFIG_VNC_SASL */
1396         ret = vnc_client_write_buf(vs, vs->output.buffer, vs->output.offset);
1397     if (!ret)
1398         return 0;
1399 
1400     if (ret >= vs->force_update_offset) {
1401         if (vs->force_update_offset != 0) {
1402             trace_vnc_client_unthrottle_forced(vs, vs->ioc);
1403         }
1404         vs->force_update_offset = 0;
1405     } else {
1406         vs->force_update_offset -= ret;
1407     }
1408     offset = vs->output.offset;
1409     buffer_advance(&vs->output, ret);
1410     if (offset >= vs->throttle_output_offset &&
1411         vs->output.offset < vs->throttle_output_offset) {
1412         trace_vnc_client_unthrottle_incremental(vs, vs->ioc, vs->output.offset);
1413     }
1414 
1415     if (vs->output.offset == 0) {
1416         if (vs->ioc_tag) {
1417             g_source_remove(vs->ioc_tag);
1418         }
1419         vs->ioc_tag = qio_channel_add_watch(
1420             vs->ioc, G_IO_IN, vnc_client_io, vs, NULL);
1421     }
1422 
1423     return ret;
1424 }
1425 
1426 
1427 /*
1428  * First function called whenever there is data to be written to
1429  * the client socket. Will delegate actual work according to whether
1430  * SASL SSF layers are enabled (thus requiring encryption calls)
1431  */
1432 static void vnc_client_write_locked(VncState *vs)
1433 {
1434 #ifdef CONFIG_VNC_SASL
1435     if (vs->sasl.conn &&
1436         vs->sasl.runSSF &&
1437         !vs->sasl.waitWriteSSF) {
1438         vnc_client_write_sasl(vs);
1439     } else
1440 #endif /* CONFIG_VNC_SASL */
1441     {
1442         vnc_client_write_plain(vs);
1443     }
1444 }
1445 
1446 static void vnc_client_write(VncState *vs)
1447 {
1448     assert(vs->magic == VNC_MAGIC);
1449     vnc_lock_output(vs);
1450     if (vs->output.offset) {
1451         vnc_client_write_locked(vs);
1452     } else if (vs->ioc != NULL) {
1453         if (vs->ioc_tag) {
1454             g_source_remove(vs->ioc_tag);
1455         }
1456         vs->ioc_tag = qio_channel_add_watch(
1457             vs->ioc, G_IO_IN, vnc_client_io, vs, NULL);
1458     }
1459     vnc_unlock_output(vs);
1460 }
1461 
1462 void vnc_read_when(VncState *vs, VncReadEvent *func, size_t expecting)
1463 {
1464     vs->read_handler = func;
1465     vs->read_handler_expect = expecting;
1466 }
1467 
1468 
1469 /*
1470  * Called to read a chunk of data from the client socket. The data may
1471  * be the raw data, or may need to be further decoded by SASL.
1472  * The data will be read either straight from to the socket, or
1473  * read via the GNUTLS wrappers, if TLS/SSL encryption is enabled
1474  *
1475  * NB, it is theoretically possible to have 2 layers of encryption,
1476  * both SASL, and this TLS layer. It is highly unlikely in practice
1477  * though, since SASL encryption will typically be a no-op if TLS
1478  * is active
1479  *
1480  * Returns the number of bytes read, which may be less than
1481  * the requested 'datalen' if the socket would block. Returns
1482  * 0 on I/O error or EOF, and disconnects the client socket.
1483  */
1484 size_t vnc_client_read_buf(VncState *vs, uint8_t *data, size_t datalen)
1485 {
1486     ssize_t ret;
1487     Error *err = NULL;
1488     ret = qio_channel_read(
1489         vs->ioc, (char *)data, datalen, &err);
1490     VNC_DEBUG("Read wire %p %zd -> %ld\n", data, datalen, ret);
1491     return vnc_client_io_error(vs, ret, &err);
1492 }
1493 
1494 
1495 /*
1496  * Called to read data from the client socket to the input buffer,
1497  * when not using any SASL SSF encryption layers. Will read as much
1498  * data as possible without blocking.
1499  *
1500  * Returns the number of bytes read, which may be less than
1501  * the requested 'datalen' if the socket would block. Returns
1502  * 0 on I/O error or EOF, and disconnects the client socket.
1503  */
1504 static size_t vnc_client_read_plain(VncState *vs)
1505 {
1506     size_t ret;
1507     VNC_DEBUG("Read plain %p size %zd offset %zd\n",
1508               vs->input.buffer, vs->input.capacity, vs->input.offset);
1509     buffer_reserve(&vs->input, 4096);
1510     ret = vnc_client_read_buf(vs, buffer_end(&vs->input), 4096);
1511     if (!ret)
1512         return 0;
1513     vs->input.offset += ret;
1514     return ret;
1515 }
1516 
1517 static void vnc_jobs_bh(void *opaque)
1518 {
1519     VncState *vs = opaque;
1520 
1521     assert(vs->magic == VNC_MAGIC);
1522     vnc_jobs_consume_buffer(vs);
1523 }
1524 
1525 /*
1526  * First function called whenever there is more data to be read from
1527  * the client socket. Will delegate actual work according to whether
1528  * SASL SSF layers are enabled (thus requiring decryption calls)
1529  * Returns 0 on success, -1 if client disconnected
1530  */
1531 static int vnc_client_read(VncState *vs)
1532 {
1533     size_t ret;
1534 
1535 #ifdef CONFIG_VNC_SASL
1536     if (vs->sasl.conn && vs->sasl.runSSF)
1537         ret = vnc_client_read_sasl(vs);
1538     else
1539 #endif /* CONFIG_VNC_SASL */
1540         ret = vnc_client_read_plain(vs);
1541     if (!ret) {
1542         if (vs->disconnecting) {
1543             vnc_disconnect_finish(vs);
1544             return -1;
1545         }
1546         return 0;
1547     }
1548 
1549     while (vs->read_handler && vs->input.offset >= vs->read_handler_expect) {
1550         size_t len = vs->read_handler_expect;
1551         int ret;
1552 
1553         ret = vs->read_handler(vs, vs->input.buffer, len);
1554         if (vs->disconnecting) {
1555             vnc_disconnect_finish(vs);
1556             return -1;
1557         }
1558 
1559         if (!ret) {
1560             buffer_advance(&vs->input, len);
1561         } else {
1562             vs->read_handler_expect = ret;
1563         }
1564     }
1565     return 0;
1566 }
1567 
1568 gboolean vnc_client_io(QIOChannel *ioc G_GNUC_UNUSED,
1569                        GIOCondition condition, void *opaque)
1570 {
1571     VncState *vs = opaque;
1572 
1573     assert(vs->magic == VNC_MAGIC);
1574     if (condition & G_IO_IN) {
1575         if (vnc_client_read(vs) < 0) {
1576             /* vs is free()ed here */
1577             return TRUE;
1578         }
1579     }
1580     if (condition & G_IO_OUT) {
1581         vnc_client_write(vs);
1582     }
1583 
1584     if (vs->disconnecting) {
1585         if (vs->ioc_tag != 0) {
1586             g_source_remove(vs->ioc_tag);
1587         }
1588         vs->ioc_tag = 0;
1589     }
1590     return TRUE;
1591 }
1592 
1593 
1594 /*
1595  * Scale factor to apply to vs->throttle_output_offset when checking for
1596  * hard limit. Worst case normal usage could be x2, if we have a complete
1597  * incremental update and complete forced update in the output buffer.
1598  * So x3 should be good enough, but we pick x5 to be conservative and thus
1599  * (hopefully) never trigger incorrectly.
1600  */
1601 #define VNC_THROTTLE_OUTPUT_LIMIT_SCALE 5
1602 
1603 void vnc_write(VncState *vs, const void *data, size_t len)
1604 {
1605     assert(vs->magic == VNC_MAGIC);
1606     if (vs->disconnecting) {
1607         return;
1608     }
1609     /* Protection against malicious client/guest to prevent our output
1610      * buffer growing without bound if client stops reading data. This
1611      * should rarely trigger, because we have earlier throttling code
1612      * which stops issuing framebuffer updates and drops audio data
1613      * if the throttle_output_offset value is exceeded. So we only reach
1614      * this higher level if a huge number of pseudo-encodings get
1615      * triggered while data can't be sent on the socket.
1616      *
1617      * NB throttle_output_offset can be zero during early protocol
1618      * handshake, or from the job thread's VncState clone
1619      */
1620     if (vs->throttle_output_offset != 0 &&
1621         (vs->output.offset / VNC_THROTTLE_OUTPUT_LIMIT_SCALE) >
1622         vs->throttle_output_offset) {
1623         trace_vnc_client_output_limit(vs, vs->ioc, vs->output.offset,
1624                                       vs->throttle_output_offset);
1625         vnc_disconnect_start(vs);
1626         return;
1627     }
1628     buffer_reserve(&vs->output, len);
1629 
1630     if (vs->ioc != NULL && buffer_empty(&vs->output)) {
1631         if (vs->ioc_tag) {
1632             g_source_remove(vs->ioc_tag);
1633         }
1634         vs->ioc_tag = qio_channel_add_watch(
1635             vs->ioc, G_IO_IN | G_IO_OUT, vnc_client_io, vs, NULL);
1636     }
1637 
1638     buffer_append(&vs->output, data, len);
1639 }
1640 
1641 void vnc_write_s32(VncState *vs, int32_t value)
1642 {
1643     vnc_write_u32(vs, *(uint32_t *)&value);
1644 }
1645 
1646 void vnc_write_u32(VncState *vs, uint32_t value)
1647 {
1648     uint8_t buf[4];
1649 
1650     buf[0] = (value >> 24) & 0xFF;
1651     buf[1] = (value >> 16) & 0xFF;
1652     buf[2] = (value >>  8) & 0xFF;
1653     buf[3] = value & 0xFF;
1654 
1655     vnc_write(vs, buf, 4);
1656 }
1657 
1658 void vnc_write_u16(VncState *vs, uint16_t value)
1659 {
1660     uint8_t buf[2];
1661 
1662     buf[0] = (value >> 8) & 0xFF;
1663     buf[1] = value & 0xFF;
1664 
1665     vnc_write(vs, buf, 2);
1666 }
1667 
1668 void vnc_write_u8(VncState *vs, uint8_t value)
1669 {
1670     vnc_write(vs, (char *)&value, 1);
1671 }
1672 
1673 void vnc_flush(VncState *vs)
1674 {
1675     vnc_lock_output(vs);
1676     if (vs->ioc != NULL && vs->output.offset) {
1677         vnc_client_write_locked(vs);
1678     }
1679     if (vs->disconnecting) {
1680         if (vs->ioc_tag != 0) {
1681             g_source_remove(vs->ioc_tag);
1682         }
1683         vs->ioc_tag = 0;
1684     }
1685     vnc_unlock_output(vs);
1686 }
1687 
1688 static uint8_t read_u8(uint8_t *data, size_t offset)
1689 {
1690     return data[offset];
1691 }
1692 
1693 static uint16_t read_u16(uint8_t *data, size_t offset)
1694 {
1695     return ((data[offset] & 0xFF) << 8) | (data[offset + 1] & 0xFF);
1696 }
1697 
1698 static int32_t read_s32(uint8_t *data, size_t offset)
1699 {
1700     return (int32_t)((data[offset] << 24) | (data[offset + 1] << 16) |
1701                      (data[offset + 2] << 8) | data[offset + 3]);
1702 }
1703 
1704 uint32_t read_u32(uint8_t *data, size_t offset)
1705 {
1706     return ((data[offset] << 24) | (data[offset + 1] << 16) |
1707             (data[offset + 2] << 8) | data[offset + 3]);
1708 }
1709 
1710 static void client_cut_text(VncState *vs, size_t len, uint8_t *text)
1711 {
1712 }
1713 
1714 static void check_pointer_type_change(Notifier *notifier, void *data)
1715 {
1716     VncState *vs = container_of(notifier, VncState, mouse_mode_notifier);
1717     int absolute = qemu_input_is_absolute();
1718 
1719     if (vnc_has_feature(vs, VNC_FEATURE_POINTER_TYPE_CHANGE) && vs->absolute != absolute) {
1720         vnc_lock_output(vs);
1721         vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1722         vnc_write_u8(vs, 0);
1723         vnc_write_u16(vs, 1);
1724         vnc_framebuffer_update(vs, absolute, 0,
1725                                pixman_image_get_width(vs->vd->server),
1726                                pixman_image_get_height(vs->vd->server),
1727                                VNC_ENCODING_POINTER_TYPE_CHANGE);
1728         vnc_unlock_output(vs);
1729         vnc_flush(vs);
1730     }
1731     vs->absolute = absolute;
1732 }
1733 
1734 static void pointer_event(VncState *vs, int button_mask, int x, int y)
1735 {
1736     static uint32_t bmap[INPUT_BUTTON__MAX] = {
1737         [INPUT_BUTTON_LEFT]       = 0x01,
1738         [INPUT_BUTTON_MIDDLE]     = 0x02,
1739         [INPUT_BUTTON_RIGHT]      = 0x04,
1740         [INPUT_BUTTON_WHEEL_UP]   = 0x08,
1741         [INPUT_BUTTON_WHEEL_DOWN] = 0x10,
1742     };
1743     QemuConsole *con = vs->vd->dcl.con;
1744     int width = pixman_image_get_width(vs->vd->server);
1745     int height = pixman_image_get_height(vs->vd->server);
1746 
1747     if (vs->last_bmask != button_mask) {
1748         qemu_input_update_buttons(con, bmap, vs->last_bmask, button_mask);
1749         vs->last_bmask = button_mask;
1750     }
1751 
1752     if (vs->absolute) {
1753         qemu_input_queue_abs(con, INPUT_AXIS_X, x, 0, width);
1754         qemu_input_queue_abs(con, INPUT_AXIS_Y, y, 0, height);
1755     } else if (vnc_has_feature(vs, VNC_FEATURE_POINTER_TYPE_CHANGE)) {
1756         qemu_input_queue_rel(con, INPUT_AXIS_X, x - 0x7FFF);
1757         qemu_input_queue_rel(con, INPUT_AXIS_Y, y - 0x7FFF);
1758     } else {
1759         if (vs->last_x != -1) {
1760             qemu_input_queue_rel(con, INPUT_AXIS_X, x - vs->last_x);
1761             qemu_input_queue_rel(con, INPUT_AXIS_Y, y - vs->last_y);
1762         }
1763         vs->last_x = x;
1764         vs->last_y = y;
1765     }
1766     qemu_input_event_sync();
1767 }
1768 
1769 static void press_key(VncState *vs, QKeyCode qcode)
1770 {
1771     qkbd_state_key_event(vs->vd->kbd, qcode, true);
1772     qkbd_state_key_event(vs->vd->kbd, qcode, false);
1773 }
1774 
1775 static void vnc_led_state_change(VncState *vs)
1776 {
1777     if (!vnc_has_feature(vs, VNC_FEATURE_LED_STATE)) {
1778         return;
1779     }
1780 
1781     vnc_lock_output(vs);
1782     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1783     vnc_write_u8(vs, 0);
1784     vnc_write_u16(vs, 1);
1785     vnc_framebuffer_update(vs, 0, 0, 1, 1, VNC_ENCODING_LED_STATE);
1786     vnc_write_u8(vs, vs->vd->ledstate);
1787     vnc_unlock_output(vs);
1788     vnc_flush(vs);
1789 }
1790 
1791 static void kbd_leds(void *opaque, int ledstate)
1792 {
1793     VncDisplay *vd = opaque;
1794     VncState *client;
1795 
1796     trace_vnc_key_guest_leds((ledstate & QEMU_CAPS_LOCK_LED),
1797                              (ledstate & QEMU_NUM_LOCK_LED),
1798                              (ledstate & QEMU_SCROLL_LOCK_LED));
1799 
1800     if (ledstate == vd->ledstate) {
1801         return;
1802     }
1803 
1804     vd->ledstate = ledstate;
1805 
1806     QTAILQ_FOREACH(client, &vd->clients, next) {
1807         vnc_led_state_change(client);
1808     }
1809 }
1810 
1811 static void do_key_event(VncState *vs, int down, int keycode, int sym)
1812 {
1813     QKeyCode qcode = qemu_input_key_number_to_qcode(keycode);
1814 
1815     /* QEMU console switch */
1816     switch (qcode) {
1817     case Q_KEY_CODE_1 ... Q_KEY_CODE_9: /* '1' to '9' keys */
1818         if (vs->vd->dcl.con == NULL && down &&
1819             qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_CTRL) &&
1820             qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_ALT)) {
1821             /* Reset the modifiers sent to the current console */
1822             qkbd_state_lift_all_keys(vs->vd->kbd);
1823             console_select(qcode - Q_KEY_CODE_1);
1824             return;
1825         }
1826     default:
1827         break;
1828     }
1829 
1830     /* Turn off the lock state sync logic if the client support the led
1831        state extension.
1832     */
1833     if (down && vs->vd->lock_key_sync &&
1834         !vnc_has_feature(vs, VNC_FEATURE_LED_STATE) &&
1835         keycode_is_keypad(vs->vd->kbd_layout, keycode)) {
1836         /* If the numlock state needs to change then simulate an additional
1837            keypress before sending this one.  This will happen if the user
1838            toggles numlock away from the VNC window.
1839         */
1840         if (keysym_is_numlock(vs->vd->kbd_layout, sym & 0xFFFF)) {
1841             if (!qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_NUMLOCK)) {
1842                 trace_vnc_key_sync_numlock(true);
1843                 press_key(vs, Q_KEY_CODE_NUM_LOCK);
1844             }
1845         } else {
1846             if (qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_NUMLOCK)) {
1847                 trace_vnc_key_sync_numlock(false);
1848                 press_key(vs, Q_KEY_CODE_NUM_LOCK);
1849             }
1850         }
1851     }
1852 
1853     if (down && vs->vd->lock_key_sync &&
1854         !vnc_has_feature(vs, VNC_FEATURE_LED_STATE) &&
1855         ((sym >= 'A' && sym <= 'Z') || (sym >= 'a' && sym <= 'z'))) {
1856         /* If the capslock state needs to change then simulate an additional
1857            keypress before sending this one.  This will happen if the user
1858            toggles capslock away from the VNC window.
1859         */
1860         int uppercase = !!(sym >= 'A' && sym <= 'Z');
1861         bool shift = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_SHIFT);
1862         bool capslock = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_CAPSLOCK);
1863         if (capslock) {
1864             if (uppercase == shift) {
1865                 trace_vnc_key_sync_capslock(false);
1866                 press_key(vs, Q_KEY_CODE_CAPS_LOCK);
1867             }
1868         } else {
1869             if (uppercase != shift) {
1870                 trace_vnc_key_sync_capslock(true);
1871                 press_key(vs, Q_KEY_CODE_CAPS_LOCK);
1872             }
1873         }
1874     }
1875 
1876     qkbd_state_key_event(vs->vd->kbd, qcode, down);
1877     if (!qemu_console_is_graphic(NULL)) {
1878         bool numlock = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_NUMLOCK);
1879         bool control = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_CTRL);
1880         /* QEMU console emulation */
1881         if (down) {
1882             switch (keycode) {
1883             case 0x2a:                          /* Left Shift */
1884             case 0x36:                          /* Right Shift */
1885             case 0x1d:                          /* Left CTRL */
1886             case 0x9d:                          /* Right CTRL */
1887             case 0x38:                          /* Left ALT */
1888             case 0xb8:                          /* Right ALT */
1889                 break;
1890             case 0xc8:
1891                 kbd_put_keysym(QEMU_KEY_UP);
1892                 break;
1893             case 0xd0:
1894                 kbd_put_keysym(QEMU_KEY_DOWN);
1895                 break;
1896             case 0xcb:
1897                 kbd_put_keysym(QEMU_KEY_LEFT);
1898                 break;
1899             case 0xcd:
1900                 kbd_put_keysym(QEMU_KEY_RIGHT);
1901                 break;
1902             case 0xd3:
1903                 kbd_put_keysym(QEMU_KEY_DELETE);
1904                 break;
1905             case 0xc7:
1906                 kbd_put_keysym(QEMU_KEY_HOME);
1907                 break;
1908             case 0xcf:
1909                 kbd_put_keysym(QEMU_KEY_END);
1910                 break;
1911             case 0xc9:
1912                 kbd_put_keysym(QEMU_KEY_PAGEUP);
1913                 break;
1914             case 0xd1:
1915                 kbd_put_keysym(QEMU_KEY_PAGEDOWN);
1916                 break;
1917 
1918             case 0x47:
1919                 kbd_put_keysym(numlock ? '7' : QEMU_KEY_HOME);
1920                 break;
1921             case 0x48:
1922                 kbd_put_keysym(numlock ? '8' : QEMU_KEY_UP);
1923                 break;
1924             case 0x49:
1925                 kbd_put_keysym(numlock ? '9' : QEMU_KEY_PAGEUP);
1926                 break;
1927             case 0x4b:
1928                 kbd_put_keysym(numlock ? '4' : QEMU_KEY_LEFT);
1929                 break;
1930             case 0x4c:
1931                 kbd_put_keysym('5');
1932                 break;
1933             case 0x4d:
1934                 kbd_put_keysym(numlock ? '6' : QEMU_KEY_RIGHT);
1935                 break;
1936             case 0x4f:
1937                 kbd_put_keysym(numlock ? '1' : QEMU_KEY_END);
1938                 break;
1939             case 0x50:
1940                 kbd_put_keysym(numlock ? '2' : QEMU_KEY_DOWN);
1941                 break;
1942             case 0x51:
1943                 kbd_put_keysym(numlock ? '3' : QEMU_KEY_PAGEDOWN);
1944                 break;
1945             case 0x52:
1946                 kbd_put_keysym('0');
1947                 break;
1948             case 0x53:
1949                 kbd_put_keysym(numlock ? '.' : QEMU_KEY_DELETE);
1950                 break;
1951 
1952             case 0xb5:
1953                 kbd_put_keysym('/');
1954                 break;
1955             case 0x37:
1956                 kbd_put_keysym('*');
1957                 break;
1958             case 0x4a:
1959                 kbd_put_keysym('-');
1960                 break;
1961             case 0x4e:
1962                 kbd_put_keysym('+');
1963                 break;
1964             case 0x9c:
1965                 kbd_put_keysym('\n');
1966                 break;
1967 
1968             default:
1969                 if (control) {
1970                     kbd_put_keysym(sym & 0x1f);
1971                 } else {
1972                     kbd_put_keysym(sym);
1973                 }
1974                 break;
1975             }
1976         }
1977     }
1978 }
1979 
1980 static const char *code2name(int keycode)
1981 {
1982     return QKeyCode_str(qemu_input_key_number_to_qcode(keycode));
1983 }
1984 
1985 static void key_event(VncState *vs, int down, uint32_t sym)
1986 {
1987     int keycode;
1988     int lsym = sym;
1989 
1990     if (lsym >= 'A' && lsym <= 'Z' && qemu_console_is_graphic(NULL)) {
1991         lsym = lsym - 'A' + 'a';
1992     }
1993 
1994     keycode = keysym2scancode(vs->vd->kbd_layout, lsym & 0xFFFF,
1995                               vs->vd->kbd, down) & SCANCODE_KEYMASK;
1996     trace_vnc_key_event_map(down, sym, keycode, code2name(keycode));
1997     do_key_event(vs, down, keycode, sym);
1998 }
1999 
2000 static void ext_key_event(VncState *vs, int down,
2001                           uint32_t sym, uint16_t keycode)
2002 {
2003     /* if the user specifies a keyboard layout, always use it */
2004     if (keyboard_layout) {
2005         key_event(vs, down, sym);
2006     } else {
2007         trace_vnc_key_event_ext(down, sym, keycode, code2name(keycode));
2008         do_key_event(vs, down, keycode, sym);
2009     }
2010 }
2011 
2012 static void framebuffer_update_request(VncState *vs, int incremental,
2013                                        int x, int y, int w, int h)
2014 {
2015     if (incremental) {
2016         if (vs->update != VNC_STATE_UPDATE_FORCE) {
2017             vs->update = VNC_STATE_UPDATE_INCREMENTAL;
2018         }
2019     } else {
2020         vs->update = VNC_STATE_UPDATE_FORCE;
2021         vnc_set_area_dirty(vs->dirty, vs->vd, x, y, w, h);
2022     }
2023 }
2024 
2025 static void send_ext_key_event_ack(VncState *vs)
2026 {
2027     vnc_lock_output(vs);
2028     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
2029     vnc_write_u8(vs, 0);
2030     vnc_write_u16(vs, 1);
2031     vnc_framebuffer_update(vs, 0, 0,
2032                            pixman_image_get_width(vs->vd->server),
2033                            pixman_image_get_height(vs->vd->server),
2034                            VNC_ENCODING_EXT_KEY_EVENT);
2035     vnc_unlock_output(vs);
2036     vnc_flush(vs);
2037 }
2038 
2039 static void send_ext_audio_ack(VncState *vs)
2040 {
2041     vnc_lock_output(vs);
2042     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
2043     vnc_write_u8(vs, 0);
2044     vnc_write_u16(vs, 1);
2045     vnc_framebuffer_update(vs, 0, 0,
2046                            pixman_image_get_width(vs->vd->server),
2047                            pixman_image_get_height(vs->vd->server),
2048                            VNC_ENCODING_AUDIO);
2049     vnc_unlock_output(vs);
2050     vnc_flush(vs);
2051 }
2052 
2053 static void set_encodings(VncState *vs, int32_t *encodings, size_t n_encodings)
2054 {
2055     int i;
2056     unsigned int enc = 0;
2057 
2058     vs->features = 0;
2059     vs->vnc_encoding = 0;
2060     vs->tight.compression = 9;
2061     vs->tight.quality = -1; /* Lossless by default */
2062     vs->absolute = -1;
2063 
2064     /*
2065      * Start from the end because the encodings are sent in order of preference.
2066      * This way the preferred encoding (first encoding defined in the array)
2067      * will be set at the end of the loop.
2068      */
2069     for (i = n_encodings - 1; i >= 0; i--) {
2070         enc = encodings[i];
2071         switch (enc) {
2072         case VNC_ENCODING_RAW:
2073             vs->vnc_encoding = enc;
2074             break;
2075         case VNC_ENCODING_COPYRECT:
2076             vs->features |= VNC_FEATURE_COPYRECT_MASK;
2077             break;
2078         case VNC_ENCODING_HEXTILE:
2079             vs->features |= VNC_FEATURE_HEXTILE_MASK;
2080             vs->vnc_encoding = enc;
2081             break;
2082         case VNC_ENCODING_TIGHT:
2083             vs->features |= VNC_FEATURE_TIGHT_MASK;
2084             vs->vnc_encoding = enc;
2085             break;
2086 #ifdef CONFIG_VNC_PNG
2087         case VNC_ENCODING_TIGHT_PNG:
2088             vs->features |= VNC_FEATURE_TIGHT_PNG_MASK;
2089             vs->vnc_encoding = enc;
2090             break;
2091 #endif
2092         case VNC_ENCODING_ZLIB:
2093             vs->features |= VNC_FEATURE_ZLIB_MASK;
2094             vs->vnc_encoding = enc;
2095             break;
2096         case VNC_ENCODING_ZRLE:
2097             vs->features |= VNC_FEATURE_ZRLE_MASK;
2098             vs->vnc_encoding = enc;
2099             break;
2100         case VNC_ENCODING_ZYWRLE:
2101             vs->features |= VNC_FEATURE_ZYWRLE_MASK;
2102             vs->vnc_encoding = enc;
2103             break;
2104         case VNC_ENCODING_DESKTOPRESIZE:
2105             vs->features |= VNC_FEATURE_RESIZE_MASK;
2106             break;
2107         case VNC_ENCODING_POINTER_TYPE_CHANGE:
2108             vs->features |= VNC_FEATURE_POINTER_TYPE_CHANGE_MASK;
2109             break;
2110         case VNC_ENCODING_RICH_CURSOR:
2111             vs->features |= VNC_FEATURE_RICH_CURSOR_MASK;
2112             if (vs->vd->cursor) {
2113                 vnc_cursor_define(vs);
2114             }
2115             break;
2116         case VNC_ENCODING_EXT_KEY_EVENT:
2117             send_ext_key_event_ack(vs);
2118             break;
2119         case VNC_ENCODING_AUDIO:
2120             send_ext_audio_ack(vs);
2121             break;
2122         case VNC_ENCODING_WMVi:
2123             vs->features |= VNC_FEATURE_WMVI_MASK;
2124             break;
2125         case VNC_ENCODING_LED_STATE:
2126             vs->features |= VNC_FEATURE_LED_STATE_MASK;
2127             break;
2128         case VNC_ENCODING_COMPRESSLEVEL0 ... VNC_ENCODING_COMPRESSLEVEL0 + 9:
2129             vs->tight.compression = (enc & 0x0F);
2130             break;
2131         case VNC_ENCODING_QUALITYLEVEL0 ... VNC_ENCODING_QUALITYLEVEL0 + 9:
2132             if (vs->vd->lossy) {
2133                 vs->tight.quality = (enc & 0x0F);
2134             }
2135             break;
2136         default:
2137             VNC_DEBUG("Unknown encoding: %d (0x%.8x): %d\n", i, enc, enc);
2138             break;
2139         }
2140     }
2141     vnc_desktop_resize(vs);
2142     check_pointer_type_change(&vs->mouse_mode_notifier, NULL);
2143     vnc_led_state_change(vs);
2144 }
2145 
2146 static void set_pixel_conversion(VncState *vs)
2147 {
2148     pixman_format_code_t fmt = qemu_pixman_get_format(&vs->client_pf);
2149 
2150     if (fmt == VNC_SERVER_FB_FORMAT) {
2151         vs->write_pixels = vnc_write_pixels_copy;
2152         vnc_hextile_set_pixel_conversion(vs, 0);
2153     } else {
2154         vs->write_pixels = vnc_write_pixels_generic;
2155         vnc_hextile_set_pixel_conversion(vs, 1);
2156     }
2157 }
2158 
2159 static void send_color_map(VncState *vs)
2160 {
2161     int i;
2162 
2163     vnc_write_u8(vs, VNC_MSG_SERVER_SET_COLOUR_MAP_ENTRIES);
2164     vnc_write_u8(vs,  0);    /* padding     */
2165     vnc_write_u16(vs, 0);    /* first color */
2166     vnc_write_u16(vs, 256);  /* # of colors */
2167 
2168     for (i = 0; i < 256; i++) {
2169         PixelFormat *pf = &vs->client_pf;
2170 
2171         vnc_write_u16(vs, (((i >> pf->rshift) & pf->rmax) << (16 - pf->rbits)));
2172         vnc_write_u16(vs, (((i >> pf->gshift) & pf->gmax) << (16 - pf->gbits)));
2173         vnc_write_u16(vs, (((i >> pf->bshift) & pf->bmax) << (16 - pf->bbits)));
2174     }
2175 }
2176 
2177 static void set_pixel_format(VncState *vs, int bits_per_pixel,
2178                              int big_endian_flag, int true_color_flag,
2179                              int red_max, int green_max, int blue_max,
2180                              int red_shift, int green_shift, int blue_shift)
2181 {
2182     if (!true_color_flag) {
2183         /* Expose a reasonable default 256 color map */
2184         bits_per_pixel = 8;
2185         red_max = 7;
2186         green_max = 7;
2187         blue_max = 3;
2188         red_shift = 0;
2189         green_shift = 3;
2190         blue_shift = 6;
2191     }
2192 
2193     switch (bits_per_pixel) {
2194     case 8:
2195     case 16:
2196     case 32:
2197         break;
2198     default:
2199         vnc_client_error(vs);
2200         return;
2201     }
2202 
2203     vs->client_pf.rmax = red_max ? red_max : 0xFF;
2204     vs->client_pf.rbits = ctpopl(red_max);
2205     vs->client_pf.rshift = red_shift;
2206     vs->client_pf.rmask = red_max << red_shift;
2207     vs->client_pf.gmax = green_max ? green_max : 0xFF;
2208     vs->client_pf.gbits = ctpopl(green_max);
2209     vs->client_pf.gshift = green_shift;
2210     vs->client_pf.gmask = green_max << green_shift;
2211     vs->client_pf.bmax = blue_max ? blue_max : 0xFF;
2212     vs->client_pf.bbits = ctpopl(blue_max);
2213     vs->client_pf.bshift = blue_shift;
2214     vs->client_pf.bmask = blue_max << blue_shift;
2215     vs->client_pf.bits_per_pixel = bits_per_pixel;
2216     vs->client_pf.bytes_per_pixel = bits_per_pixel / 8;
2217     vs->client_pf.depth = bits_per_pixel == 32 ? 24 : bits_per_pixel;
2218     vs->client_be = big_endian_flag;
2219 
2220     if (!true_color_flag) {
2221         send_color_map(vs);
2222     }
2223 
2224     set_pixel_conversion(vs);
2225 
2226     graphic_hw_invalidate(vs->vd->dcl.con);
2227     graphic_hw_update(vs->vd->dcl.con);
2228 }
2229 
2230 static void pixel_format_message (VncState *vs) {
2231     char pad[3] = { 0, 0, 0 };
2232 
2233     vs->client_pf = qemu_default_pixelformat(32);
2234 
2235     vnc_write_u8(vs, vs->client_pf.bits_per_pixel); /* bits-per-pixel */
2236     vnc_write_u8(vs, vs->client_pf.depth); /* depth */
2237 
2238 #ifdef HOST_WORDS_BIGENDIAN
2239     vnc_write_u8(vs, 1);             /* big-endian-flag */
2240 #else
2241     vnc_write_u8(vs, 0);             /* big-endian-flag */
2242 #endif
2243     vnc_write_u8(vs, 1);             /* true-color-flag */
2244     vnc_write_u16(vs, vs->client_pf.rmax);     /* red-max */
2245     vnc_write_u16(vs, vs->client_pf.gmax);     /* green-max */
2246     vnc_write_u16(vs, vs->client_pf.bmax);     /* blue-max */
2247     vnc_write_u8(vs, vs->client_pf.rshift);    /* red-shift */
2248     vnc_write_u8(vs, vs->client_pf.gshift);    /* green-shift */
2249     vnc_write_u8(vs, vs->client_pf.bshift);    /* blue-shift */
2250     vnc_write(vs, pad, 3);           /* padding */
2251 
2252     vnc_hextile_set_pixel_conversion(vs, 0);
2253     vs->write_pixels = vnc_write_pixels_copy;
2254 }
2255 
2256 static void vnc_colordepth(VncState *vs)
2257 {
2258     if (vnc_has_feature(vs, VNC_FEATURE_WMVI)) {
2259         /* Sending a WMVi message to notify the client*/
2260         vnc_lock_output(vs);
2261         vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
2262         vnc_write_u8(vs, 0);
2263         vnc_write_u16(vs, 1); /* number of rects */
2264         vnc_framebuffer_update(vs, 0, 0,
2265                                pixman_image_get_width(vs->vd->server),
2266                                pixman_image_get_height(vs->vd->server),
2267                                VNC_ENCODING_WMVi);
2268         pixel_format_message(vs);
2269         vnc_unlock_output(vs);
2270         vnc_flush(vs);
2271     } else {
2272         set_pixel_conversion(vs);
2273     }
2274 }
2275 
2276 static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len)
2277 {
2278     int i;
2279     uint16_t limit;
2280     uint32_t freq;
2281     VncDisplay *vd = vs->vd;
2282 
2283     if (data[0] > 3) {
2284         update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
2285     }
2286 
2287     switch (data[0]) {
2288     case VNC_MSG_CLIENT_SET_PIXEL_FORMAT:
2289         if (len == 1)
2290             return 20;
2291 
2292         set_pixel_format(vs, read_u8(data, 4),
2293                          read_u8(data, 6), read_u8(data, 7),
2294                          read_u16(data, 8), read_u16(data, 10),
2295                          read_u16(data, 12), read_u8(data, 14),
2296                          read_u8(data, 15), read_u8(data, 16));
2297         break;
2298     case VNC_MSG_CLIENT_SET_ENCODINGS:
2299         if (len == 1)
2300             return 4;
2301 
2302         if (len == 4) {
2303             limit = read_u16(data, 2);
2304             if (limit > 0)
2305                 return 4 + (limit * 4);
2306         } else
2307             limit = read_u16(data, 2);
2308 
2309         for (i = 0; i < limit; i++) {
2310             int32_t val = read_s32(data, 4 + (i * 4));
2311             memcpy(data + 4 + (i * 4), &val, sizeof(val));
2312         }
2313 
2314         set_encodings(vs, (int32_t *)(data + 4), limit);
2315         break;
2316     case VNC_MSG_CLIENT_FRAMEBUFFER_UPDATE_REQUEST:
2317         if (len == 1)
2318             return 10;
2319 
2320         framebuffer_update_request(vs,
2321                                    read_u8(data, 1), read_u16(data, 2), read_u16(data, 4),
2322                                    read_u16(data, 6), read_u16(data, 8));
2323         break;
2324     case VNC_MSG_CLIENT_KEY_EVENT:
2325         if (len == 1)
2326             return 8;
2327 
2328         key_event(vs, read_u8(data, 1), read_u32(data, 4));
2329         break;
2330     case VNC_MSG_CLIENT_POINTER_EVENT:
2331         if (len == 1)
2332             return 6;
2333 
2334         pointer_event(vs, read_u8(data, 1), read_u16(data, 2), read_u16(data, 4));
2335         break;
2336     case VNC_MSG_CLIENT_CUT_TEXT:
2337         if (len == 1) {
2338             return 8;
2339         }
2340         if (len == 8) {
2341             uint32_t dlen = read_u32(data, 4);
2342             if (dlen > (1 << 20)) {
2343                 error_report("vnc: client_cut_text msg payload has %u bytes"
2344                              " which exceeds our limit of 1MB.", dlen);
2345                 vnc_client_error(vs);
2346                 break;
2347             }
2348             if (dlen > 0) {
2349                 return 8 + dlen;
2350             }
2351         }
2352 
2353         client_cut_text(vs, read_u32(data, 4), data + 8);
2354         break;
2355     case VNC_MSG_CLIENT_QEMU:
2356         if (len == 1)
2357             return 2;
2358 
2359         switch (read_u8(data, 1)) {
2360         case VNC_MSG_CLIENT_QEMU_EXT_KEY_EVENT:
2361             if (len == 2)
2362                 return 12;
2363 
2364             ext_key_event(vs, read_u16(data, 2),
2365                           read_u32(data, 4), read_u32(data, 8));
2366             break;
2367         case VNC_MSG_CLIENT_QEMU_AUDIO:
2368             if (len == 2)
2369                 return 4;
2370 
2371             switch (read_u16 (data, 2)) {
2372             case VNC_MSG_CLIENT_QEMU_AUDIO_ENABLE:
2373                 audio_add(vs);
2374                 break;
2375             case VNC_MSG_CLIENT_QEMU_AUDIO_DISABLE:
2376                 audio_del(vs);
2377                 break;
2378             case VNC_MSG_CLIENT_QEMU_AUDIO_SET_FORMAT:
2379                 if (len == 4)
2380                     return 10;
2381                 switch (read_u8(data, 4)) {
2382                 case 0: vs->as.fmt = AUDIO_FORMAT_U8; break;
2383                 case 1: vs->as.fmt = AUDIO_FORMAT_S8; break;
2384                 case 2: vs->as.fmt = AUDIO_FORMAT_U16; break;
2385                 case 3: vs->as.fmt = AUDIO_FORMAT_S16; break;
2386                 case 4: vs->as.fmt = AUDIO_FORMAT_U32; break;
2387                 case 5: vs->as.fmt = AUDIO_FORMAT_S32; break;
2388                 default:
2389                     VNC_DEBUG("Invalid audio format %d\n", read_u8(data, 4));
2390                     vnc_client_error(vs);
2391                     break;
2392                 }
2393                 vs->as.nchannels = read_u8(data, 5);
2394                 if (vs->as.nchannels != 1 && vs->as.nchannels != 2) {
2395                     VNC_DEBUG("Invalid audio channel count %d\n",
2396                               read_u8(data, 5));
2397                     vnc_client_error(vs);
2398                     break;
2399                 }
2400                 freq = read_u32(data, 6);
2401                 /* No official limit for protocol, but 48khz is a sensible
2402                  * upper bound for trustworthy clients, and this limit
2403                  * protects calculations involving 'vs->as.freq' later.
2404                  */
2405                 if (freq > 48000) {
2406                     VNC_DEBUG("Invalid audio frequency %u > 48000", freq);
2407                     vnc_client_error(vs);
2408                     break;
2409                 }
2410                 vs->as.freq = freq;
2411                 break;
2412             default:
2413                 VNC_DEBUG("Invalid audio message %d\n", read_u8(data, 4));
2414                 vnc_client_error(vs);
2415                 break;
2416             }
2417             break;
2418 
2419         default:
2420             VNC_DEBUG("Msg: %d\n", read_u16(data, 0));
2421             vnc_client_error(vs);
2422             break;
2423         }
2424         break;
2425     default:
2426         VNC_DEBUG("Msg: %d\n", data[0]);
2427         vnc_client_error(vs);
2428         break;
2429     }
2430 
2431     vnc_update_throttle_offset(vs);
2432     vnc_read_when(vs, protocol_client_msg, 1);
2433     return 0;
2434 }
2435 
2436 static int protocol_client_init(VncState *vs, uint8_t *data, size_t len)
2437 {
2438     char buf[1024];
2439     VncShareMode mode;
2440     int size;
2441 
2442     mode = data[0] ? VNC_SHARE_MODE_SHARED : VNC_SHARE_MODE_EXCLUSIVE;
2443     switch (vs->vd->share_policy) {
2444     case VNC_SHARE_POLICY_IGNORE:
2445         /*
2446          * Ignore the shared flag.  Nothing to do here.
2447          *
2448          * Doesn't conform to the rfb spec but is traditional qemu
2449          * behavior, thus left here as option for compatibility
2450          * reasons.
2451          */
2452         break;
2453     case VNC_SHARE_POLICY_ALLOW_EXCLUSIVE:
2454         /*
2455          * Policy: Allow clients ask for exclusive access.
2456          *
2457          * Implementation: When a client asks for exclusive access,
2458          * disconnect all others. Shared connects are allowed as long
2459          * as no exclusive connection exists.
2460          *
2461          * This is how the rfb spec suggests to handle the shared flag.
2462          */
2463         if (mode == VNC_SHARE_MODE_EXCLUSIVE) {
2464             VncState *client;
2465             QTAILQ_FOREACH(client, &vs->vd->clients, next) {
2466                 if (vs == client) {
2467                     continue;
2468                 }
2469                 if (client->share_mode != VNC_SHARE_MODE_EXCLUSIVE &&
2470                     client->share_mode != VNC_SHARE_MODE_SHARED) {
2471                     continue;
2472                 }
2473                 vnc_disconnect_start(client);
2474             }
2475         }
2476         if (mode == VNC_SHARE_MODE_SHARED) {
2477             if (vs->vd->num_exclusive > 0) {
2478                 vnc_disconnect_start(vs);
2479                 return 0;
2480             }
2481         }
2482         break;
2483     case VNC_SHARE_POLICY_FORCE_SHARED:
2484         /*
2485          * Policy: Shared connects only.
2486          * Implementation: Disallow clients asking for exclusive access.
2487          *
2488          * Useful for shared desktop sessions where you don't want
2489          * someone forgetting to say -shared when running the vnc
2490          * client disconnect everybody else.
2491          */
2492         if (mode == VNC_SHARE_MODE_EXCLUSIVE) {
2493             vnc_disconnect_start(vs);
2494             return 0;
2495         }
2496         break;
2497     }
2498     vnc_set_share_mode(vs, mode);
2499 
2500     if (vs->vd->num_shared > vs->vd->connections_limit) {
2501         vnc_disconnect_start(vs);
2502         return 0;
2503     }
2504 
2505     assert(pixman_image_get_width(vs->vd->server) < 65536 &&
2506            pixman_image_get_width(vs->vd->server) >= 0);
2507     assert(pixman_image_get_height(vs->vd->server) < 65536 &&
2508            pixman_image_get_height(vs->vd->server) >= 0);
2509     vs->client_width = pixman_image_get_width(vs->vd->server);
2510     vs->client_height = pixman_image_get_height(vs->vd->server);
2511     vnc_write_u16(vs, vs->client_width);
2512     vnc_write_u16(vs, vs->client_height);
2513 
2514     pixel_format_message(vs);
2515 
2516     if (qemu_name) {
2517         size = snprintf(buf, sizeof(buf), "QEMU (%s)", qemu_name);
2518         if (size > sizeof(buf)) {
2519             size = sizeof(buf);
2520         }
2521     } else {
2522         size = snprintf(buf, sizeof(buf), "QEMU");
2523     }
2524 
2525     vnc_write_u32(vs, size);
2526     vnc_write(vs, buf, size);
2527     vnc_flush(vs);
2528 
2529     vnc_client_cache_auth(vs);
2530     vnc_qmp_event(vs, QAPI_EVENT_VNC_INITIALIZED);
2531 
2532     vnc_read_when(vs, protocol_client_msg, 1);
2533 
2534     return 0;
2535 }
2536 
2537 void start_client_init(VncState *vs)
2538 {
2539     vnc_read_when(vs, protocol_client_init, 1);
2540 }
2541 
2542 static void authentication_failed(VncState *vs)
2543 {
2544     vnc_write_u32(vs, 1); /* Reject auth */
2545     if (vs->minor >= 8) {
2546         static const char err[] = "Authentication failed";
2547         vnc_write_u32(vs, sizeof(err));
2548         vnc_write(vs, err, sizeof(err));
2549     }
2550     vnc_flush(vs);
2551     vnc_client_error(vs);
2552 }
2553 
2554 static int protocol_client_auth_vnc(VncState *vs, uint8_t *data, size_t len)
2555 {
2556     unsigned char response[VNC_AUTH_CHALLENGE_SIZE];
2557     size_t i, pwlen;
2558     unsigned char key[8];
2559     time_t now = time(NULL);
2560     QCryptoCipher *cipher = NULL;
2561     Error *err = NULL;
2562 
2563     if (!vs->vd->password) {
2564         trace_vnc_auth_fail(vs, vs->auth, "password is not set", "");
2565         goto reject;
2566     }
2567     if (vs->vd->expires < now) {
2568         trace_vnc_auth_fail(vs, vs->auth, "password is expired", "");
2569         goto reject;
2570     }
2571 
2572     memcpy(response, vs->challenge, VNC_AUTH_CHALLENGE_SIZE);
2573 
2574     /* Calculate the expected challenge response */
2575     pwlen = strlen(vs->vd->password);
2576     for (i=0; i<sizeof(key); i++)
2577         key[i] = i<pwlen ? vs->vd->password[i] : 0;
2578 
2579     cipher = qcrypto_cipher_new(
2580         QCRYPTO_CIPHER_ALG_DES_RFB,
2581         QCRYPTO_CIPHER_MODE_ECB,
2582         key, G_N_ELEMENTS(key),
2583         &err);
2584     if (!cipher) {
2585         trace_vnc_auth_fail(vs, vs->auth, "cannot create cipher",
2586                             error_get_pretty(err));
2587         error_free(err);
2588         goto reject;
2589     }
2590 
2591     if (qcrypto_cipher_encrypt(cipher,
2592                                vs->challenge,
2593                                response,
2594                                VNC_AUTH_CHALLENGE_SIZE,
2595                                &err) < 0) {
2596         trace_vnc_auth_fail(vs, vs->auth, "cannot encrypt challenge response",
2597                             error_get_pretty(err));
2598         error_free(err);
2599         goto reject;
2600     }
2601 
2602     /* Compare expected vs actual challenge response */
2603     if (memcmp(response, data, VNC_AUTH_CHALLENGE_SIZE) != 0) {
2604         trace_vnc_auth_fail(vs, vs->auth, "mis-matched challenge response", "");
2605         goto reject;
2606     } else {
2607         trace_vnc_auth_pass(vs, vs->auth);
2608         vnc_write_u32(vs, 0); /* Accept auth */
2609         vnc_flush(vs);
2610 
2611         start_client_init(vs);
2612     }
2613 
2614     qcrypto_cipher_free(cipher);
2615     return 0;
2616 
2617 reject:
2618     authentication_failed(vs);
2619     qcrypto_cipher_free(cipher);
2620     return 0;
2621 }
2622 
2623 void start_auth_vnc(VncState *vs)
2624 {
2625     Error *err = NULL;
2626 
2627     if (qcrypto_random_bytes(vs->challenge, sizeof(vs->challenge), &err)) {
2628         trace_vnc_auth_fail(vs, vs->auth, "cannot get random bytes",
2629                             error_get_pretty(err));
2630         error_free(err);
2631         authentication_failed(vs);
2632         return;
2633     }
2634 
2635     /* Send client a 'random' challenge */
2636     vnc_write(vs, vs->challenge, sizeof(vs->challenge));
2637     vnc_flush(vs);
2638 
2639     vnc_read_when(vs, protocol_client_auth_vnc, sizeof(vs->challenge));
2640 }
2641 
2642 
2643 static int protocol_client_auth(VncState *vs, uint8_t *data, size_t len)
2644 {
2645     /* We only advertise 1 auth scheme at a time, so client
2646      * must pick the one we sent. Verify this */
2647     if (data[0] != vs->auth) { /* Reject auth */
2648        trace_vnc_auth_reject(vs, vs->auth, (int)data[0]);
2649        authentication_failed(vs);
2650     } else { /* Accept requested auth */
2651        trace_vnc_auth_start(vs, vs->auth);
2652        switch (vs->auth) {
2653        case VNC_AUTH_NONE:
2654            if (vs->minor >= 8) {
2655                vnc_write_u32(vs, 0); /* Accept auth completion */
2656                vnc_flush(vs);
2657            }
2658            trace_vnc_auth_pass(vs, vs->auth);
2659            start_client_init(vs);
2660            break;
2661 
2662        case VNC_AUTH_VNC:
2663            start_auth_vnc(vs);
2664            break;
2665 
2666        case VNC_AUTH_VENCRYPT:
2667            start_auth_vencrypt(vs);
2668            break;
2669 
2670 #ifdef CONFIG_VNC_SASL
2671        case VNC_AUTH_SASL:
2672            start_auth_sasl(vs);
2673            break;
2674 #endif /* CONFIG_VNC_SASL */
2675 
2676        default: /* Should not be possible, but just in case */
2677            trace_vnc_auth_fail(vs, vs->auth, "Unhandled auth method", "");
2678            authentication_failed(vs);
2679        }
2680     }
2681     return 0;
2682 }
2683 
2684 static int protocol_version(VncState *vs, uint8_t *version, size_t len)
2685 {
2686     char local[13];
2687 
2688     memcpy(local, version, 12);
2689     local[12] = 0;
2690 
2691     if (sscanf(local, "RFB %03d.%03d\n", &vs->major, &vs->minor) != 2) {
2692         VNC_DEBUG("Malformed protocol version %s\n", local);
2693         vnc_client_error(vs);
2694         return 0;
2695     }
2696     VNC_DEBUG("Client request protocol version %d.%d\n", vs->major, vs->minor);
2697     if (vs->major != 3 ||
2698         (vs->minor != 3 &&
2699          vs->minor != 4 &&
2700          vs->minor != 5 &&
2701          vs->minor != 7 &&
2702          vs->minor != 8)) {
2703         VNC_DEBUG("Unsupported client version\n");
2704         vnc_write_u32(vs, VNC_AUTH_INVALID);
2705         vnc_flush(vs);
2706         vnc_client_error(vs);
2707         return 0;
2708     }
2709     /* Some broken clients report v3.4 or v3.5, which spec requires to be treated
2710      * as equivalent to v3.3 by servers
2711      */
2712     if (vs->minor == 4 || vs->minor == 5)
2713         vs->minor = 3;
2714 
2715     if (vs->minor == 3) {
2716         trace_vnc_auth_start(vs, vs->auth);
2717         if (vs->auth == VNC_AUTH_NONE) {
2718             vnc_write_u32(vs, vs->auth);
2719             vnc_flush(vs);
2720             trace_vnc_auth_pass(vs, vs->auth);
2721             start_client_init(vs);
2722        } else if (vs->auth == VNC_AUTH_VNC) {
2723             VNC_DEBUG("Tell client VNC auth\n");
2724             vnc_write_u32(vs, vs->auth);
2725             vnc_flush(vs);
2726             start_auth_vnc(vs);
2727        } else {
2728             trace_vnc_auth_fail(vs, vs->auth,
2729                                 "Unsupported auth method for v3.3", "");
2730             vnc_write_u32(vs, VNC_AUTH_INVALID);
2731             vnc_flush(vs);
2732             vnc_client_error(vs);
2733        }
2734     } else {
2735         vnc_write_u8(vs, 1); /* num auth */
2736         vnc_write_u8(vs, vs->auth);
2737         vnc_read_when(vs, protocol_client_auth, 1);
2738         vnc_flush(vs);
2739     }
2740 
2741     return 0;
2742 }
2743 
2744 static VncRectStat *vnc_stat_rect(VncDisplay *vd, int x, int y)
2745 {
2746     struct VncSurface *vs = &vd->guest;
2747 
2748     return &vs->stats[y / VNC_STAT_RECT][x / VNC_STAT_RECT];
2749 }
2750 
2751 void vnc_sent_lossy_rect(VncState *vs, int x, int y, int w, int h)
2752 {
2753     int i, j;
2754 
2755     w = (x + w) / VNC_STAT_RECT;
2756     h = (y + h) / VNC_STAT_RECT;
2757     x /= VNC_STAT_RECT;
2758     y /= VNC_STAT_RECT;
2759 
2760     for (j = y; j <= h; j++) {
2761         for (i = x; i <= w; i++) {
2762             vs->lossy_rect[j][i] = 1;
2763         }
2764     }
2765 }
2766 
2767 static int vnc_refresh_lossy_rect(VncDisplay *vd, int x, int y)
2768 {
2769     VncState *vs;
2770     int sty = y / VNC_STAT_RECT;
2771     int stx = x / VNC_STAT_RECT;
2772     int has_dirty = 0;
2773 
2774     y = QEMU_ALIGN_DOWN(y, VNC_STAT_RECT);
2775     x = QEMU_ALIGN_DOWN(x, VNC_STAT_RECT);
2776 
2777     QTAILQ_FOREACH(vs, &vd->clients, next) {
2778         int j;
2779 
2780         /* kernel send buffers are full -> refresh later */
2781         if (vs->output.offset) {
2782             continue;
2783         }
2784 
2785         if (!vs->lossy_rect[sty][stx]) {
2786             continue;
2787         }
2788 
2789         vs->lossy_rect[sty][stx] = 0;
2790         for (j = 0; j < VNC_STAT_RECT; ++j) {
2791             bitmap_set(vs->dirty[y + j],
2792                        x / VNC_DIRTY_PIXELS_PER_BIT,
2793                        VNC_STAT_RECT / VNC_DIRTY_PIXELS_PER_BIT);
2794         }
2795         has_dirty++;
2796     }
2797 
2798     return has_dirty;
2799 }
2800 
2801 static int vnc_update_stats(VncDisplay *vd,  struct timeval * tv)
2802 {
2803     int width = MIN(pixman_image_get_width(vd->guest.fb),
2804                     pixman_image_get_width(vd->server));
2805     int height = MIN(pixman_image_get_height(vd->guest.fb),
2806                      pixman_image_get_height(vd->server));
2807     int x, y;
2808     struct timeval res;
2809     int has_dirty = 0;
2810 
2811     for (y = 0; y < height; y += VNC_STAT_RECT) {
2812         for (x = 0; x < width; x += VNC_STAT_RECT) {
2813             VncRectStat *rect = vnc_stat_rect(vd, x, y);
2814 
2815             rect->updated = false;
2816         }
2817     }
2818 
2819     qemu_timersub(tv, &VNC_REFRESH_STATS, &res);
2820 
2821     if (timercmp(&vd->guest.last_freq_check, &res, >)) {
2822         return has_dirty;
2823     }
2824     vd->guest.last_freq_check = *tv;
2825 
2826     for (y = 0; y < height; y += VNC_STAT_RECT) {
2827         for (x = 0; x < width; x += VNC_STAT_RECT) {
2828             VncRectStat *rect= vnc_stat_rect(vd, x, y);
2829             int count = ARRAY_SIZE(rect->times);
2830             struct timeval min, max;
2831 
2832             if (!timerisset(&rect->times[count - 1])) {
2833                 continue ;
2834             }
2835 
2836             max = rect->times[(rect->idx + count - 1) % count];
2837             qemu_timersub(tv, &max, &res);
2838 
2839             if (timercmp(&res, &VNC_REFRESH_LOSSY, >)) {
2840                 rect->freq = 0;
2841                 has_dirty += vnc_refresh_lossy_rect(vd, x, y);
2842                 memset(rect->times, 0, sizeof (rect->times));
2843                 continue ;
2844             }
2845 
2846             min = rect->times[rect->idx];
2847             max = rect->times[(rect->idx + count - 1) % count];
2848             qemu_timersub(&max, &min, &res);
2849 
2850             rect->freq = res.tv_sec + res.tv_usec / 1000000.;
2851             rect->freq /= count;
2852             rect->freq = 1. / rect->freq;
2853         }
2854     }
2855     return has_dirty;
2856 }
2857 
2858 double vnc_update_freq(VncState *vs, int x, int y, int w, int h)
2859 {
2860     int i, j;
2861     double total = 0;
2862     int num = 0;
2863 
2864     x =  QEMU_ALIGN_DOWN(x, VNC_STAT_RECT);
2865     y =  QEMU_ALIGN_DOWN(y, VNC_STAT_RECT);
2866 
2867     for (j = y; j <= y + h; j += VNC_STAT_RECT) {
2868         for (i = x; i <= x + w; i += VNC_STAT_RECT) {
2869             total += vnc_stat_rect(vs->vd, i, j)->freq;
2870             num++;
2871         }
2872     }
2873 
2874     if (num) {
2875         return total / num;
2876     } else {
2877         return 0;
2878     }
2879 }
2880 
2881 static void vnc_rect_updated(VncDisplay *vd, int x, int y, struct timeval * tv)
2882 {
2883     VncRectStat *rect;
2884 
2885     rect = vnc_stat_rect(vd, x, y);
2886     if (rect->updated) {
2887         return ;
2888     }
2889     rect->times[rect->idx] = *tv;
2890     rect->idx = (rect->idx + 1) % ARRAY_SIZE(rect->times);
2891     rect->updated = true;
2892 }
2893 
2894 static int vnc_refresh_server_surface(VncDisplay *vd)
2895 {
2896     int width = MIN(pixman_image_get_width(vd->guest.fb),
2897                     pixman_image_get_width(vd->server));
2898     int height = MIN(pixman_image_get_height(vd->guest.fb),
2899                      pixman_image_get_height(vd->server));
2900     int cmp_bytes, server_stride, line_bytes, guest_ll, guest_stride, y = 0;
2901     uint8_t *guest_row0 = NULL, *server_row0;
2902     VncState *vs;
2903     int has_dirty = 0;
2904     pixman_image_t *tmpbuf = NULL;
2905 
2906     struct timeval tv = { 0, 0 };
2907 
2908     if (!vd->non_adaptive) {
2909         gettimeofday(&tv, NULL);
2910         has_dirty = vnc_update_stats(vd, &tv);
2911     }
2912 
2913     /*
2914      * Walk through the guest dirty map.
2915      * Check and copy modified bits from guest to server surface.
2916      * Update server dirty map.
2917      */
2918     server_row0 = (uint8_t *)pixman_image_get_data(vd->server);
2919     server_stride = guest_stride = guest_ll =
2920         pixman_image_get_stride(vd->server);
2921     cmp_bytes = MIN(VNC_DIRTY_PIXELS_PER_BIT * VNC_SERVER_FB_BYTES,
2922                     server_stride);
2923     if (vd->guest.format != VNC_SERVER_FB_FORMAT) {
2924         int width = pixman_image_get_width(vd->server);
2925         tmpbuf = qemu_pixman_linebuf_create(VNC_SERVER_FB_FORMAT, width);
2926     } else {
2927         int guest_bpp =
2928             PIXMAN_FORMAT_BPP(pixman_image_get_format(vd->guest.fb));
2929         guest_row0 = (uint8_t *)pixman_image_get_data(vd->guest.fb);
2930         guest_stride = pixman_image_get_stride(vd->guest.fb);
2931         guest_ll = pixman_image_get_width(vd->guest.fb)
2932                    * DIV_ROUND_UP(guest_bpp, 8);
2933     }
2934     line_bytes = MIN(server_stride, guest_ll);
2935 
2936     for (;;) {
2937         int x;
2938         uint8_t *guest_ptr, *server_ptr;
2939         unsigned long offset = find_next_bit((unsigned long *) &vd->guest.dirty,
2940                                              height * VNC_DIRTY_BPL(&vd->guest),
2941                                              y * VNC_DIRTY_BPL(&vd->guest));
2942         if (offset == height * VNC_DIRTY_BPL(&vd->guest)) {
2943             /* no more dirty bits */
2944             break;
2945         }
2946         y = offset / VNC_DIRTY_BPL(&vd->guest);
2947         x = offset % VNC_DIRTY_BPL(&vd->guest);
2948 
2949         server_ptr = server_row0 + y * server_stride + x * cmp_bytes;
2950 
2951         if (vd->guest.format != VNC_SERVER_FB_FORMAT) {
2952             qemu_pixman_linebuf_fill(tmpbuf, vd->guest.fb, width, 0, y);
2953             guest_ptr = (uint8_t *)pixman_image_get_data(tmpbuf);
2954         } else {
2955             guest_ptr = guest_row0 + y * guest_stride;
2956         }
2957         guest_ptr += x * cmp_bytes;
2958 
2959         for (; x < DIV_ROUND_UP(width, VNC_DIRTY_PIXELS_PER_BIT);
2960              x++, guest_ptr += cmp_bytes, server_ptr += cmp_bytes) {
2961             int _cmp_bytes = cmp_bytes;
2962             if (!test_and_clear_bit(x, vd->guest.dirty[y])) {
2963                 continue;
2964             }
2965             if ((x + 1) * cmp_bytes > line_bytes) {
2966                 _cmp_bytes = line_bytes - x * cmp_bytes;
2967             }
2968             assert(_cmp_bytes >= 0);
2969             if (memcmp(server_ptr, guest_ptr, _cmp_bytes) == 0) {
2970                 continue;
2971             }
2972             memcpy(server_ptr, guest_ptr, _cmp_bytes);
2973             if (!vd->non_adaptive) {
2974                 vnc_rect_updated(vd, x * VNC_DIRTY_PIXELS_PER_BIT,
2975                                  y, &tv);
2976             }
2977             QTAILQ_FOREACH(vs, &vd->clients, next) {
2978                 set_bit(x, vs->dirty[y]);
2979             }
2980             has_dirty++;
2981         }
2982 
2983         y++;
2984     }
2985     qemu_pixman_image_unref(tmpbuf);
2986     return has_dirty;
2987 }
2988 
2989 static void vnc_refresh(DisplayChangeListener *dcl)
2990 {
2991     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
2992     VncState *vs, *vn;
2993     int has_dirty, rects = 0;
2994 
2995     if (QTAILQ_EMPTY(&vd->clients)) {
2996         update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_MAX);
2997         return;
2998     }
2999 
3000     graphic_hw_update(vd->dcl.con);
3001 
3002     if (vnc_trylock_display(vd)) {
3003         update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
3004         return;
3005     }
3006 
3007     has_dirty = vnc_refresh_server_surface(vd);
3008     vnc_unlock_display(vd);
3009 
3010     QTAILQ_FOREACH_SAFE(vs, &vd->clients, next, vn) {
3011         rects += vnc_update_client(vs, has_dirty);
3012         /* vs might be free()ed here */
3013     }
3014 
3015     if (has_dirty && rects) {
3016         vd->dcl.update_interval /= 2;
3017         if (vd->dcl.update_interval < VNC_REFRESH_INTERVAL_BASE) {
3018             vd->dcl.update_interval = VNC_REFRESH_INTERVAL_BASE;
3019         }
3020     } else {
3021         vd->dcl.update_interval += VNC_REFRESH_INTERVAL_INC;
3022         if (vd->dcl.update_interval > VNC_REFRESH_INTERVAL_MAX) {
3023             vd->dcl.update_interval = VNC_REFRESH_INTERVAL_MAX;
3024         }
3025     }
3026 }
3027 
3028 static void vnc_connect(VncDisplay *vd, QIOChannelSocket *sioc,
3029                         bool skipauth, bool websocket)
3030 {
3031     VncState *vs = g_new0(VncState, 1);
3032     bool first_client = QTAILQ_EMPTY(&vd->clients);
3033     int i;
3034 
3035     trace_vnc_client_connect(vs, sioc);
3036     vs->magic = VNC_MAGIC;
3037     vs->sioc = sioc;
3038     object_ref(OBJECT(vs->sioc));
3039     vs->ioc = QIO_CHANNEL(sioc);
3040     object_ref(OBJECT(vs->ioc));
3041     vs->vd = vd;
3042 
3043     buffer_init(&vs->input,          "vnc-input/%p", sioc);
3044     buffer_init(&vs->output,         "vnc-output/%p", sioc);
3045     buffer_init(&vs->jobs_buffer,    "vnc-jobs_buffer/%p", sioc);
3046 
3047     buffer_init(&vs->tight.tight,    "vnc-tight/%p", sioc);
3048     buffer_init(&vs->tight.zlib,     "vnc-tight-zlib/%p", sioc);
3049     buffer_init(&vs->tight.gradient, "vnc-tight-gradient/%p", sioc);
3050 #ifdef CONFIG_VNC_JPEG
3051     buffer_init(&vs->tight.jpeg,     "vnc-tight-jpeg/%p", sioc);
3052 #endif
3053 #ifdef CONFIG_VNC_PNG
3054     buffer_init(&vs->tight.png,      "vnc-tight-png/%p", sioc);
3055 #endif
3056     buffer_init(&vs->zlib.zlib,      "vnc-zlib/%p", sioc);
3057     buffer_init(&vs->zrle.zrle,      "vnc-zrle/%p", sioc);
3058     buffer_init(&vs->zrle.fb,        "vnc-zrle-fb/%p", sioc);
3059     buffer_init(&vs->zrle.zlib,      "vnc-zrle-zlib/%p", sioc);
3060 
3061     if (skipauth) {
3062         vs->auth = VNC_AUTH_NONE;
3063         vs->subauth = VNC_AUTH_INVALID;
3064     } else {
3065         if (websocket) {
3066             vs->auth = vd->ws_auth;
3067             vs->subauth = VNC_AUTH_INVALID;
3068         } else {
3069             vs->auth = vd->auth;
3070             vs->subauth = vd->subauth;
3071         }
3072     }
3073     VNC_DEBUG("Client sioc=%p ws=%d auth=%d subauth=%d\n",
3074               sioc, websocket, vs->auth, vs->subauth);
3075 
3076     vs->lossy_rect = g_malloc0(VNC_STAT_ROWS * sizeof (*vs->lossy_rect));
3077     for (i = 0; i < VNC_STAT_ROWS; ++i) {
3078         vs->lossy_rect[i] = g_new0(uint8_t, VNC_STAT_COLS);
3079     }
3080 
3081     VNC_DEBUG("New client on socket %p\n", vs->sioc);
3082     update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
3083     qio_channel_set_blocking(vs->ioc, false, NULL);
3084     if (vs->ioc_tag) {
3085         g_source_remove(vs->ioc_tag);
3086     }
3087     if (websocket) {
3088         vs->websocket = 1;
3089         if (vd->tlscreds) {
3090             vs->ioc_tag = qio_channel_add_watch(
3091                 vs->ioc, G_IO_IN, vncws_tls_handshake_io, vs, NULL);
3092         } else {
3093             vs->ioc_tag = qio_channel_add_watch(
3094                 vs->ioc, G_IO_IN, vncws_handshake_io, vs, NULL);
3095         }
3096     } else {
3097         vs->ioc_tag = qio_channel_add_watch(
3098             vs->ioc, G_IO_IN, vnc_client_io, vs, NULL);
3099     }
3100 
3101     vnc_client_cache_addr(vs);
3102     vnc_qmp_event(vs, QAPI_EVENT_VNC_CONNECTED);
3103     vnc_set_share_mode(vs, VNC_SHARE_MODE_CONNECTING);
3104 
3105     vs->last_x = -1;
3106     vs->last_y = -1;
3107 
3108     vs->as.freq = 44100;
3109     vs->as.nchannels = 2;
3110     vs->as.fmt = AUDIO_FORMAT_S16;
3111     vs->as.endianness = 0;
3112 
3113     qemu_mutex_init(&vs->output_mutex);
3114     vs->bh = qemu_bh_new(vnc_jobs_bh, vs);
3115 
3116     QTAILQ_INSERT_TAIL(&vd->clients, vs, next);
3117     if (first_client) {
3118         vnc_update_server_surface(vd);
3119     }
3120 
3121     graphic_hw_update(vd->dcl.con);
3122 
3123     if (!vs->websocket) {
3124         vnc_start_protocol(vs);
3125     }
3126 
3127     if (vd->num_connecting > vd->connections_limit) {
3128         QTAILQ_FOREACH(vs, &vd->clients, next) {
3129             if (vs->share_mode == VNC_SHARE_MODE_CONNECTING) {
3130                 vnc_disconnect_start(vs);
3131                 return;
3132             }
3133         }
3134     }
3135 }
3136 
3137 void vnc_start_protocol(VncState *vs)
3138 {
3139     vnc_write(vs, "RFB 003.008\n", 12);
3140     vnc_flush(vs);
3141     vnc_read_when(vs, protocol_version, 12);
3142 
3143     vs->mouse_mode_notifier.notify = check_pointer_type_change;
3144     qemu_add_mouse_mode_change_notifier(&vs->mouse_mode_notifier);
3145 }
3146 
3147 static void vnc_listen_io(QIONetListener *listener,
3148                           QIOChannelSocket *cioc,
3149                           void *opaque)
3150 {
3151     VncDisplay *vd = opaque;
3152     bool isWebsock = listener == vd->wslistener;
3153 
3154     qio_channel_set_name(QIO_CHANNEL(cioc),
3155                          isWebsock ? "vnc-ws-server" : "vnc-server");
3156     qio_channel_set_delay(QIO_CHANNEL(cioc), false);
3157     vnc_connect(vd, cioc, false, isWebsock);
3158 }
3159 
3160 static const DisplayChangeListenerOps dcl_ops = {
3161     .dpy_name             = "vnc",
3162     .dpy_refresh          = vnc_refresh,
3163     .dpy_gfx_update       = vnc_dpy_update,
3164     .dpy_gfx_switch       = vnc_dpy_switch,
3165     .dpy_gfx_check_format = qemu_pixman_check_format,
3166     .dpy_mouse_set        = vnc_mouse_set,
3167     .dpy_cursor_define    = vnc_dpy_cursor_define,
3168 };
3169 
3170 void vnc_display_init(const char *id, Error **errp)
3171 {
3172     VncDisplay *vd;
3173 
3174     if (vnc_display_find(id) != NULL) {
3175         return;
3176     }
3177     vd = g_malloc0(sizeof(*vd));
3178 
3179     vd->id = strdup(id);
3180     QTAILQ_INSERT_TAIL(&vnc_displays, vd, next);
3181 
3182     QTAILQ_INIT(&vd->clients);
3183     vd->expires = TIME_MAX;
3184 
3185     if (keyboard_layout) {
3186         trace_vnc_key_map_init(keyboard_layout);
3187         vd->kbd_layout = init_keyboard_layout(name2keysym,
3188                                               keyboard_layout, errp);
3189     } else {
3190         vd->kbd_layout = init_keyboard_layout(name2keysym, "en-us", errp);
3191     }
3192 
3193     if (!vd->kbd_layout) {
3194         return;
3195     }
3196 
3197     vd->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
3198     vd->connections_limit = 32;
3199 
3200     qemu_mutex_init(&vd->mutex);
3201     vnc_start_worker_thread();
3202 
3203     vd->dcl.ops = &dcl_ops;
3204     register_displaychangelistener(&vd->dcl);
3205     vd->kbd = qkbd_state_init(vd->dcl.con);
3206 }
3207 
3208 
3209 static void vnc_display_close(VncDisplay *vd)
3210 {
3211     if (!vd) {
3212         return;
3213     }
3214     vd->is_unix = false;
3215 
3216     if (vd->listener) {
3217         qio_net_listener_disconnect(vd->listener);
3218         object_unref(OBJECT(vd->listener));
3219     }
3220     vd->listener = NULL;
3221 
3222     if (vd->wslistener) {
3223         qio_net_listener_disconnect(vd->wslistener);
3224         object_unref(OBJECT(vd->wslistener));
3225     }
3226     vd->wslistener = NULL;
3227 
3228     vd->auth = VNC_AUTH_INVALID;
3229     vd->subauth = VNC_AUTH_INVALID;
3230     if (vd->tlscreds) {
3231         object_unparent(OBJECT(vd->tlscreds));
3232         vd->tlscreds = NULL;
3233     }
3234     if (vd->tlsauthz) {
3235         object_unparent(OBJECT(vd->tlsauthz));
3236         vd->tlsauthz = NULL;
3237     }
3238     g_free(vd->tlsauthzid);
3239     vd->tlsauthzid = NULL;
3240     if (vd->lock_key_sync) {
3241         qemu_remove_led_event_handler(vd->led);
3242         vd->led = NULL;
3243     }
3244 #ifdef CONFIG_VNC_SASL
3245     if (vd->sasl.authz) {
3246         object_unparent(OBJECT(vd->sasl.authz));
3247         vd->sasl.authz = NULL;
3248     }
3249     g_free(vd->sasl.authzid);
3250     vd->sasl.authzid = NULL;
3251 #endif
3252 }
3253 
3254 int vnc_display_password(const char *id, const char *password)
3255 {
3256     VncDisplay *vd = vnc_display_find(id);
3257 
3258     if (!vd) {
3259         return -EINVAL;
3260     }
3261     if (vd->auth == VNC_AUTH_NONE) {
3262         error_printf_unless_qmp("If you want use passwords please enable "
3263                                 "password auth using '-vnc ${dpy},password'.\n");
3264         return -EINVAL;
3265     }
3266 
3267     g_free(vd->password);
3268     vd->password = g_strdup(password);
3269 
3270     return 0;
3271 }
3272 
3273 int vnc_display_pw_expire(const char *id, time_t expires)
3274 {
3275     VncDisplay *vd = vnc_display_find(id);
3276 
3277     if (!vd) {
3278         return -EINVAL;
3279     }
3280 
3281     vd->expires = expires;
3282     return 0;
3283 }
3284 
3285 static void vnc_display_print_local_addr(VncDisplay *vd)
3286 {
3287     SocketAddress *addr;
3288     Error *err = NULL;
3289 
3290     if (!vd->listener || !vd->listener->nsioc) {
3291         return;
3292     }
3293 
3294     addr = qio_channel_socket_get_local_address(vd->listener->sioc[0], &err);
3295     if (!addr) {
3296         return;
3297     }
3298 
3299     if (addr->type != SOCKET_ADDRESS_TYPE_INET) {
3300         qapi_free_SocketAddress(addr);
3301         return;
3302     }
3303     error_printf_unless_qmp("VNC server running on %s:%s\n",
3304                             addr->u.inet.host,
3305                             addr->u.inet.port);
3306     qapi_free_SocketAddress(addr);
3307 }
3308 
3309 static QemuOptsList qemu_vnc_opts = {
3310     .name = "vnc",
3311     .head = QTAILQ_HEAD_INITIALIZER(qemu_vnc_opts.head),
3312     .implied_opt_name = "vnc",
3313     .desc = {
3314         {
3315             .name = "vnc",
3316             .type = QEMU_OPT_STRING,
3317         },{
3318             .name = "websocket",
3319             .type = QEMU_OPT_STRING,
3320         },{
3321             .name = "tls-creds",
3322             .type = QEMU_OPT_STRING,
3323         },{
3324             .name = "share",
3325             .type = QEMU_OPT_STRING,
3326         },{
3327             .name = "display",
3328             .type = QEMU_OPT_STRING,
3329         },{
3330             .name = "head",
3331             .type = QEMU_OPT_NUMBER,
3332         },{
3333             .name = "connections",
3334             .type = QEMU_OPT_NUMBER,
3335         },{
3336             .name = "to",
3337             .type = QEMU_OPT_NUMBER,
3338         },{
3339             .name = "ipv4",
3340             .type = QEMU_OPT_BOOL,
3341         },{
3342             .name = "ipv6",
3343             .type = QEMU_OPT_BOOL,
3344         },{
3345             .name = "password",
3346             .type = QEMU_OPT_BOOL,
3347         },{
3348             .name = "reverse",
3349             .type = QEMU_OPT_BOOL,
3350         },{
3351             .name = "lock-key-sync",
3352             .type = QEMU_OPT_BOOL,
3353         },{
3354             .name = "key-delay-ms",
3355             .type = QEMU_OPT_NUMBER,
3356         },{
3357             .name = "sasl",
3358             .type = QEMU_OPT_BOOL,
3359         },{
3360             .name = "acl",
3361             .type = QEMU_OPT_BOOL,
3362         },{
3363             .name = "tls-authz",
3364             .type = QEMU_OPT_STRING,
3365         },{
3366             .name = "sasl-authz",
3367             .type = QEMU_OPT_STRING,
3368         },{
3369             .name = "lossy",
3370             .type = QEMU_OPT_BOOL,
3371         },{
3372             .name = "non-adaptive",
3373             .type = QEMU_OPT_BOOL,
3374         },
3375         { /* end of list */ }
3376     },
3377 };
3378 
3379 
3380 static int
3381 vnc_display_setup_auth(int *auth,
3382                        int *subauth,
3383                        QCryptoTLSCreds *tlscreds,
3384                        bool password,
3385                        bool sasl,
3386                        bool websocket,
3387                        Error **errp)
3388 {
3389     /*
3390      * We have a choice of 3 authentication options
3391      *
3392      *   1. none
3393      *   2. vnc
3394      *   3. sasl
3395      *
3396      * The channel can be run in 2 modes
3397      *
3398      *   1. clear
3399      *   2. tls
3400      *
3401      * And TLS can use 2 types of credentials
3402      *
3403      *   1. anon
3404      *   2. x509
3405      *
3406      * We thus have 9 possible logical combinations
3407      *
3408      *   1. clear + none
3409      *   2. clear + vnc
3410      *   3. clear + sasl
3411      *   4. tls + anon + none
3412      *   5. tls + anon + vnc
3413      *   6. tls + anon + sasl
3414      *   7. tls + x509 + none
3415      *   8. tls + x509 + vnc
3416      *   9. tls + x509 + sasl
3417      *
3418      * These need to be mapped into the VNC auth schemes
3419      * in an appropriate manner. In regular VNC, all the
3420      * TLS options get mapped into VNC_AUTH_VENCRYPT
3421      * sub-auth types.
3422      *
3423      * In websockets, the https:// protocol already provides
3424      * TLS support, so there is no need to make use of the
3425      * VeNCrypt extension. Furthermore, websockets browser
3426      * clients could not use VeNCrypt even if they wanted to,
3427      * as they cannot control when the TLS handshake takes
3428      * place. Thus there is no option but to rely on https://,
3429      * meaning combinations 4->6 and 7->9 will be mapped to
3430      * VNC auth schemes in the same way as combos 1->3.
3431      *
3432      * Regardless of fact that we have a different mapping to
3433      * VNC auth mechs for plain VNC vs websockets VNC, the end
3434      * result has the same security characteristics.
3435      */
3436     if (websocket || !tlscreds) {
3437         if (password) {
3438             VNC_DEBUG("Initializing VNC server with password auth\n");
3439             *auth = VNC_AUTH_VNC;
3440         } else if (sasl) {
3441             VNC_DEBUG("Initializing VNC server with SASL auth\n");
3442             *auth = VNC_AUTH_SASL;
3443         } else {
3444             VNC_DEBUG("Initializing VNC server with no auth\n");
3445             *auth = VNC_AUTH_NONE;
3446         }
3447         *subauth = VNC_AUTH_INVALID;
3448     } else {
3449         bool is_x509 = object_dynamic_cast(OBJECT(tlscreds),
3450                                            TYPE_QCRYPTO_TLS_CREDS_X509) != NULL;
3451         bool is_anon = object_dynamic_cast(OBJECT(tlscreds),
3452                                            TYPE_QCRYPTO_TLS_CREDS_ANON) != NULL;
3453 
3454         if (!is_x509 && !is_anon) {
3455             error_setg(errp,
3456                        "Unsupported TLS cred type %s",
3457                        object_get_typename(OBJECT(tlscreds)));
3458             return -1;
3459         }
3460         *auth = VNC_AUTH_VENCRYPT;
3461         if (password) {
3462             if (is_x509) {
3463                 VNC_DEBUG("Initializing VNC server with x509 password auth\n");
3464                 *subauth = VNC_AUTH_VENCRYPT_X509VNC;
3465             } else {
3466                 VNC_DEBUG("Initializing VNC server with TLS password auth\n");
3467                 *subauth = VNC_AUTH_VENCRYPT_TLSVNC;
3468             }
3469 
3470         } else if (sasl) {
3471             if (is_x509) {
3472                 VNC_DEBUG("Initializing VNC server with x509 SASL auth\n");
3473                 *subauth = VNC_AUTH_VENCRYPT_X509SASL;
3474             } else {
3475                 VNC_DEBUG("Initializing VNC server with TLS SASL auth\n");
3476                 *subauth = VNC_AUTH_VENCRYPT_TLSSASL;
3477             }
3478         } else {
3479             if (is_x509) {
3480                 VNC_DEBUG("Initializing VNC server with x509 no auth\n");
3481                 *subauth = VNC_AUTH_VENCRYPT_X509NONE;
3482             } else {
3483                 VNC_DEBUG("Initializing VNC server with TLS no auth\n");
3484                 *subauth = VNC_AUTH_VENCRYPT_TLSNONE;
3485             }
3486         }
3487     }
3488     return 0;
3489 }
3490 
3491 
3492 static int vnc_display_get_address(const char *addrstr,
3493                                    bool websocket,
3494                                    bool reverse,
3495                                    int displaynum,
3496                                    int to,
3497                                    bool has_ipv4,
3498                                    bool has_ipv6,
3499                                    bool ipv4,
3500                                    bool ipv6,
3501                                    SocketAddress **retaddr,
3502                                    Error **errp)
3503 {
3504     int ret = -1;
3505     SocketAddress *addr = NULL;
3506 
3507     addr = g_new0(SocketAddress, 1);
3508 
3509     if (strncmp(addrstr, "unix:", 5) == 0) {
3510         addr->type = SOCKET_ADDRESS_TYPE_UNIX;
3511         addr->u.q_unix.path = g_strdup(addrstr + 5);
3512 
3513         if (websocket) {
3514             error_setg(errp, "UNIX sockets not supported with websock");
3515             goto cleanup;
3516         }
3517 
3518         if (to) {
3519             error_setg(errp, "Port range not support with UNIX socket");
3520             goto cleanup;
3521         }
3522         ret = 0;
3523     } else {
3524         const char *port;
3525         size_t hostlen;
3526         unsigned long long baseport = 0;
3527         InetSocketAddress *inet;
3528 
3529         port = strrchr(addrstr, ':');
3530         if (!port) {
3531             if (websocket) {
3532                 hostlen = 0;
3533                 port = addrstr;
3534             } else {
3535                 error_setg(errp, "no vnc port specified");
3536                 goto cleanup;
3537             }
3538         } else {
3539             hostlen = port - addrstr;
3540             port++;
3541             if (*port == '\0') {
3542                 error_setg(errp, "vnc port cannot be empty");
3543                 goto cleanup;
3544             }
3545         }
3546 
3547         addr->type = SOCKET_ADDRESS_TYPE_INET;
3548         inet = &addr->u.inet;
3549         if (addrstr[0] == '[' && addrstr[hostlen - 1] == ']') {
3550             inet->host = g_strndup(addrstr + 1, hostlen - 2);
3551         } else {
3552             inet->host = g_strndup(addrstr, hostlen);
3553         }
3554         /* plain VNC port is just an offset, for websocket
3555          * port is absolute */
3556         if (websocket) {
3557             if (g_str_equal(addrstr, "") ||
3558                 g_str_equal(addrstr, "on")) {
3559                 if (displaynum == -1) {
3560                     error_setg(errp, "explicit websocket port is required");
3561                     goto cleanup;
3562                 }
3563                 inet->port = g_strdup_printf(
3564                     "%d", displaynum + 5700);
3565                 if (to) {
3566                     inet->has_to = true;
3567                     inet->to = to + 5700;
3568                 }
3569             } else {
3570                 inet->port = g_strdup(port);
3571             }
3572         } else {
3573             int offset = reverse ? 0 : 5900;
3574             if (parse_uint_full(port, &baseport, 10) < 0) {
3575                 error_setg(errp, "can't convert to a number: %s", port);
3576                 goto cleanup;
3577             }
3578             if (baseport > 65535 ||
3579                 baseport + offset > 65535) {
3580                 error_setg(errp, "port %s out of range", port);
3581                 goto cleanup;
3582             }
3583             inet->port = g_strdup_printf(
3584                 "%d", (int)baseport + offset);
3585 
3586             if (to) {
3587                 inet->has_to = true;
3588                 inet->to = to + offset;
3589             }
3590         }
3591 
3592         inet->ipv4 = ipv4;
3593         inet->has_ipv4 = has_ipv4;
3594         inet->ipv6 = ipv6;
3595         inet->has_ipv6 = has_ipv6;
3596 
3597         ret = baseport;
3598     }
3599 
3600     *retaddr = addr;
3601 
3602  cleanup:
3603     if (ret < 0) {
3604         qapi_free_SocketAddress(addr);
3605     }
3606     return ret;
3607 }
3608 
3609 static void vnc_free_addresses(SocketAddress ***retsaddr,
3610                                size_t *retnsaddr)
3611 {
3612     size_t i;
3613 
3614     for (i = 0; i < *retnsaddr; i++) {
3615         qapi_free_SocketAddress((*retsaddr)[i]);
3616     }
3617     g_free(*retsaddr);
3618 
3619     *retsaddr = NULL;
3620     *retnsaddr = 0;
3621 }
3622 
3623 static int vnc_display_get_addresses(QemuOpts *opts,
3624                                      bool reverse,
3625                                      SocketAddress ***retsaddr,
3626                                      size_t *retnsaddr,
3627                                      SocketAddress ***retwsaddr,
3628                                      size_t *retnwsaddr,
3629                                      Error **errp)
3630 {
3631     SocketAddress *saddr = NULL;
3632     SocketAddress *wsaddr = NULL;
3633     QemuOptsIter addriter;
3634     const char *addr;
3635     int to = qemu_opt_get_number(opts, "to", 0);
3636     bool has_ipv4 = qemu_opt_get(opts, "ipv4");
3637     bool has_ipv6 = qemu_opt_get(opts, "ipv6");
3638     bool ipv4 = qemu_opt_get_bool(opts, "ipv4", false);
3639     bool ipv6 = qemu_opt_get_bool(opts, "ipv6", false);
3640     int displaynum = -1;
3641     int ret = -1;
3642 
3643     *retsaddr = NULL;
3644     *retnsaddr = 0;
3645     *retwsaddr = NULL;
3646     *retnwsaddr = 0;
3647 
3648     addr = qemu_opt_get(opts, "vnc");
3649     if (addr == NULL || g_str_equal(addr, "none")) {
3650         ret = 0;
3651         goto cleanup;
3652     }
3653     if (qemu_opt_get(opts, "websocket") &&
3654         !qcrypto_hash_supports(QCRYPTO_HASH_ALG_SHA1)) {
3655         error_setg(errp,
3656                    "SHA1 hash support is required for websockets");
3657         goto cleanup;
3658     }
3659 
3660     qemu_opt_iter_init(&addriter, opts, "vnc");
3661     while ((addr = qemu_opt_iter_next(&addriter)) != NULL) {
3662         int rv;
3663         rv = vnc_display_get_address(addr, false, reverse, 0, to,
3664                                      has_ipv4, has_ipv6,
3665                                      ipv4, ipv6,
3666                                      &saddr, errp);
3667         if (rv < 0) {
3668             goto cleanup;
3669         }
3670         /* Historical compat - first listen address can be used
3671          * to set the default websocket port
3672          */
3673         if (displaynum == -1) {
3674             displaynum = rv;
3675         }
3676         *retsaddr = g_renew(SocketAddress *, *retsaddr, *retnsaddr + 1);
3677         (*retsaddr)[(*retnsaddr)++] = saddr;
3678     }
3679 
3680     /* If we had multiple primary displays, we don't do defaults
3681      * for websocket, and require explicit config instead. */
3682     if (*retnsaddr > 1) {
3683         displaynum = -1;
3684     }
3685 
3686     qemu_opt_iter_init(&addriter, opts, "websocket");
3687     while ((addr = qemu_opt_iter_next(&addriter)) != NULL) {
3688         if (vnc_display_get_address(addr, true, reverse, displaynum, to,
3689                                     has_ipv4, has_ipv6,
3690                                     ipv4, ipv6,
3691                                     &wsaddr, errp) < 0) {
3692             goto cleanup;
3693         }
3694 
3695         /* Historical compat - if only a single listen address was
3696          * provided, then this is used to set the default listen
3697          * address for websocket too
3698          */
3699         if (*retnsaddr == 1 &&
3700             (*retsaddr)[0]->type == SOCKET_ADDRESS_TYPE_INET &&
3701             wsaddr->type == SOCKET_ADDRESS_TYPE_INET &&
3702             g_str_equal(wsaddr->u.inet.host, "") &&
3703             !g_str_equal((*retsaddr)[0]->u.inet.host, "")) {
3704             g_free(wsaddr->u.inet.host);
3705             wsaddr->u.inet.host = g_strdup((*retsaddr)[0]->u.inet.host);
3706         }
3707 
3708         *retwsaddr = g_renew(SocketAddress *, *retwsaddr, *retnwsaddr + 1);
3709         (*retwsaddr)[(*retnwsaddr)++] = wsaddr;
3710     }
3711 
3712     ret = 0;
3713  cleanup:
3714     if (ret < 0) {
3715         vnc_free_addresses(retsaddr, retnsaddr);
3716         vnc_free_addresses(retwsaddr, retnwsaddr);
3717     }
3718     return ret;
3719 }
3720 
3721 static int vnc_display_connect(VncDisplay *vd,
3722                                SocketAddress **saddr,
3723                                size_t nsaddr,
3724                                SocketAddress **wsaddr,
3725                                size_t nwsaddr,
3726                                Error **errp)
3727 {
3728     /* connect to viewer */
3729     QIOChannelSocket *sioc = NULL;
3730     if (nwsaddr != 0) {
3731         error_setg(errp, "Cannot use websockets in reverse mode");
3732         return -1;
3733     }
3734     if (nsaddr != 1) {
3735         error_setg(errp, "Expected a single address in reverse mode");
3736         return -1;
3737     }
3738     /* TODO SOCKET_ADDRESS_TYPE_FD when fd has AF_UNIX */
3739     vd->is_unix = saddr[0]->type == SOCKET_ADDRESS_TYPE_UNIX;
3740     sioc = qio_channel_socket_new();
3741     qio_channel_set_name(QIO_CHANNEL(sioc), "vnc-reverse");
3742     if (qio_channel_socket_connect_sync(sioc, saddr[0], errp) < 0) {
3743         return -1;
3744     }
3745     vnc_connect(vd, sioc, false, false);
3746     object_unref(OBJECT(sioc));
3747     return 0;
3748 }
3749 
3750 
3751 static int vnc_display_listen(VncDisplay *vd,
3752                               SocketAddress **saddr,
3753                               size_t nsaddr,
3754                               SocketAddress **wsaddr,
3755                               size_t nwsaddr,
3756                               Error **errp)
3757 {
3758     size_t i;
3759 
3760     if (nsaddr) {
3761         vd->listener = qio_net_listener_new();
3762         qio_net_listener_set_name(vd->listener, "vnc-listen");
3763         for (i = 0; i < nsaddr; i++) {
3764             if (qio_net_listener_open_sync(vd->listener,
3765                                            saddr[i],
3766                                            errp) < 0)  {
3767                 return -1;
3768             }
3769         }
3770 
3771         qio_net_listener_set_client_func(vd->listener,
3772                                          vnc_listen_io, vd, NULL);
3773     }
3774 
3775     if (nwsaddr) {
3776         vd->wslistener = qio_net_listener_new();
3777         qio_net_listener_set_name(vd->wslistener, "vnc-ws-listen");
3778         for (i = 0; i < nwsaddr; i++) {
3779             if (qio_net_listener_open_sync(vd->wslistener,
3780                                            wsaddr[i],
3781                                            errp) < 0)  {
3782                 return -1;
3783             }
3784         }
3785 
3786         qio_net_listener_set_client_func(vd->wslistener,
3787                                          vnc_listen_io, vd, NULL);
3788     }
3789 
3790     return 0;
3791 }
3792 
3793 
3794 void vnc_display_open(const char *id, Error **errp)
3795 {
3796     VncDisplay *vd = vnc_display_find(id);
3797     QemuOpts *opts = qemu_opts_find(&qemu_vnc_opts, id);
3798     SocketAddress **saddr = NULL, **wsaddr = NULL;
3799     size_t nsaddr, nwsaddr;
3800     const char *share, *device_id;
3801     QemuConsole *con;
3802     bool password = false;
3803     bool reverse = false;
3804     const char *credid;
3805     bool sasl = false;
3806     int acl = 0;
3807     const char *tlsauthz;
3808     const char *saslauthz;
3809     int lock_key_sync = 1;
3810     int key_delay_ms;
3811 
3812     if (!vd) {
3813         error_setg(errp, "VNC display not active");
3814         return;
3815     }
3816     vnc_display_close(vd);
3817 
3818     if (!opts) {
3819         return;
3820     }
3821 
3822     reverse = qemu_opt_get_bool(opts, "reverse", false);
3823     if (vnc_display_get_addresses(opts, reverse, &saddr, &nsaddr,
3824                                   &wsaddr, &nwsaddr, errp) < 0) {
3825         goto fail;
3826     }
3827 
3828     password = qemu_opt_get_bool(opts, "password", false);
3829     if (password) {
3830         if (fips_get_state()) {
3831             error_setg(errp,
3832                        "VNC password auth disabled due to FIPS mode, "
3833                        "consider using the VeNCrypt or SASL authentication "
3834                        "methods as an alternative");
3835             goto fail;
3836         }
3837         if (!qcrypto_cipher_supports(
3838                 QCRYPTO_CIPHER_ALG_DES_RFB, QCRYPTO_CIPHER_MODE_ECB)) {
3839             error_setg(errp,
3840                        "Cipher backend does not support DES RFB algorithm");
3841             goto fail;
3842         }
3843     }
3844 
3845     lock_key_sync = qemu_opt_get_bool(opts, "lock-key-sync", true);
3846     key_delay_ms = qemu_opt_get_number(opts, "key-delay-ms", 10);
3847     sasl = qemu_opt_get_bool(opts, "sasl", false);
3848 #ifndef CONFIG_VNC_SASL
3849     if (sasl) {
3850         error_setg(errp, "VNC SASL auth requires cyrus-sasl support");
3851         goto fail;
3852     }
3853 #endif /* CONFIG_VNC_SASL */
3854     credid = qemu_opt_get(opts, "tls-creds");
3855     if (credid) {
3856         Object *creds;
3857         creds = object_resolve_path_component(
3858             object_get_objects_root(), credid);
3859         if (!creds) {
3860             error_setg(errp, "No TLS credentials with id '%s'",
3861                        credid);
3862             goto fail;
3863         }
3864         vd->tlscreds = (QCryptoTLSCreds *)
3865             object_dynamic_cast(creds,
3866                                 TYPE_QCRYPTO_TLS_CREDS);
3867         if (!vd->tlscreds) {
3868             error_setg(errp, "Object with id '%s' is not TLS credentials",
3869                        credid);
3870             goto fail;
3871         }
3872         object_ref(OBJECT(vd->tlscreds));
3873 
3874         if (vd->tlscreds->endpoint != QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) {
3875             error_setg(errp,
3876                        "Expecting TLS credentials with a server endpoint");
3877             goto fail;
3878         }
3879     }
3880     if (qemu_opt_get(opts, "acl")) {
3881         error_report("The 'acl' option to -vnc is deprecated. "
3882                      "Please use the 'tls-authz' and 'sasl-authz' "
3883                      "options instead");
3884     }
3885     acl = qemu_opt_get_bool(opts, "acl", false);
3886     tlsauthz = qemu_opt_get(opts, "tls-authz");
3887     if (acl && tlsauthz) {
3888         error_setg(errp, "'acl' option is mutually exclusive with the "
3889                    "'tls-authz' option");
3890         goto fail;
3891     }
3892     if (tlsauthz && !vd->tlscreds) {
3893         error_setg(errp, "'tls-authz' provided but TLS is not enabled");
3894         goto fail;
3895     }
3896 
3897     saslauthz = qemu_opt_get(opts, "sasl-authz");
3898     if (acl && saslauthz) {
3899         error_setg(errp, "'acl' option is mutually exclusive with the "
3900                    "'sasl-authz' option");
3901         goto fail;
3902     }
3903     if (saslauthz && !sasl) {
3904         error_setg(errp, "'sasl-authz' provided but SASL auth is not enabled");
3905         goto fail;
3906     }
3907 
3908     share = qemu_opt_get(opts, "share");
3909     if (share) {
3910         if (strcmp(share, "ignore") == 0) {
3911             vd->share_policy = VNC_SHARE_POLICY_IGNORE;
3912         } else if (strcmp(share, "allow-exclusive") == 0) {
3913             vd->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
3914         } else if (strcmp(share, "force-shared") == 0) {
3915             vd->share_policy = VNC_SHARE_POLICY_FORCE_SHARED;
3916         } else {
3917             error_setg(errp, "unknown vnc share= option");
3918             goto fail;
3919         }
3920     } else {
3921         vd->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
3922     }
3923     vd->connections_limit = qemu_opt_get_number(opts, "connections", 32);
3924 
3925 #ifdef CONFIG_VNC_JPEG
3926     vd->lossy = qemu_opt_get_bool(opts, "lossy", false);
3927 #endif
3928     vd->non_adaptive = qemu_opt_get_bool(opts, "non-adaptive", false);
3929     /* adaptive updates are only used with tight encoding and
3930      * if lossy updates are enabled so we can disable all the
3931      * calculations otherwise */
3932     if (!vd->lossy) {
3933         vd->non_adaptive = true;
3934     }
3935 
3936     if (tlsauthz) {
3937         vd->tlsauthzid = g_strdup(tlsauthz);
3938     } else if (acl) {
3939         if (strcmp(vd->id, "default") == 0) {
3940             vd->tlsauthzid = g_strdup("vnc.x509dname");
3941         } else {
3942             vd->tlsauthzid = g_strdup_printf("vnc.%s.x509dname", vd->id);
3943         }
3944         vd->tlsauthz = QAUTHZ(qauthz_list_new(vd->tlsauthzid,
3945                                               QAUTHZ_LIST_POLICY_DENY,
3946                                               &error_abort));
3947     }
3948 #ifdef CONFIG_VNC_SASL
3949     if (sasl) {
3950         if (saslauthz) {
3951             vd->sasl.authzid = g_strdup(saslauthz);
3952         } else if (acl) {
3953             if (strcmp(vd->id, "default") == 0) {
3954                 vd->sasl.authzid = g_strdup("vnc.username");
3955             } else {
3956                 vd->sasl.authzid = g_strdup_printf("vnc.%s.username", vd->id);
3957             }
3958             vd->sasl.authz = QAUTHZ(qauthz_list_new(vd->sasl.authzid,
3959                                                     QAUTHZ_LIST_POLICY_DENY,
3960                                                     &error_abort));
3961         }
3962     }
3963 #endif
3964 
3965     if (vnc_display_setup_auth(&vd->auth, &vd->subauth,
3966                                vd->tlscreds, password,
3967                                sasl, false, errp) < 0) {
3968         goto fail;
3969     }
3970     trace_vnc_auth_init(vd, 0, vd->auth, vd->subauth);
3971 
3972     if (vnc_display_setup_auth(&vd->ws_auth, &vd->ws_subauth,
3973                                vd->tlscreds, password,
3974                                sasl, true, errp) < 0) {
3975         goto fail;
3976     }
3977     trace_vnc_auth_init(vd, 1, vd->ws_auth, vd->ws_subauth);
3978 
3979 #ifdef CONFIG_VNC_SASL
3980     if (sasl) {
3981         int saslErr = sasl_server_init(NULL, "qemu");
3982 
3983         if (saslErr != SASL_OK) {
3984             error_setg(errp, "Failed to initialize SASL auth: %s",
3985                        sasl_errstring(saslErr, NULL, NULL));
3986             goto fail;
3987         }
3988     }
3989 #endif
3990     vd->lock_key_sync = lock_key_sync;
3991     if (lock_key_sync) {
3992         vd->led = qemu_add_led_event_handler(kbd_leds, vd);
3993     }
3994     vd->ledstate = 0;
3995 
3996     device_id = qemu_opt_get(opts, "display");
3997     if (device_id) {
3998         int head = qemu_opt_get_number(opts, "head", 0);
3999         Error *err = NULL;
4000 
4001         con = qemu_console_lookup_by_device_name(device_id, head, &err);
4002         if (err) {
4003             error_propagate(errp, err);
4004             goto fail;
4005         }
4006     } else {
4007         con = NULL;
4008     }
4009 
4010     if (con != vd->dcl.con) {
4011         qkbd_state_free(vd->kbd);
4012         unregister_displaychangelistener(&vd->dcl);
4013         vd->dcl.con = con;
4014         register_displaychangelistener(&vd->dcl);
4015         vd->kbd = qkbd_state_init(vd->dcl.con);
4016     }
4017     qkbd_state_set_delay(vd->kbd, key_delay_ms);
4018 
4019     if (saddr == NULL) {
4020         goto cleanup;
4021     }
4022 
4023     if (reverse) {
4024         if (vnc_display_connect(vd, saddr, nsaddr, wsaddr, nwsaddr, errp) < 0) {
4025             goto fail;
4026         }
4027     } else {
4028         if (vnc_display_listen(vd, saddr, nsaddr, wsaddr, nwsaddr, errp) < 0) {
4029             goto fail;
4030         }
4031     }
4032 
4033     if (qemu_opt_get(opts, "to")) {
4034         vnc_display_print_local_addr(vd);
4035     }
4036 
4037  cleanup:
4038     vnc_free_addresses(&saddr, &nsaddr);
4039     vnc_free_addresses(&wsaddr, &nwsaddr);
4040     return;
4041 
4042 fail:
4043     vnc_display_close(vd);
4044     goto cleanup;
4045 }
4046 
4047 void vnc_display_add_client(const char *id, int csock, bool skipauth)
4048 {
4049     VncDisplay *vd = vnc_display_find(id);
4050     QIOChannelSocket *sioc;
4051 
4052     if (!vd) {
4053         return;
4054     }
4055 
4056     sioc = qio_channel_socket_new_fd(csock, NULL);
4057     if (sioc) {
4058         qio_channel_set_name(QIO_CHANNEL(sioc), "vnc-server");
4059         vnc_connect(vd, sioc, skipauth, false);
4060         object_unref(OBJECT(sioc));
4061     }
4062 }
4063 
4064 static void vnc_auto_assign_id(QemuOptsList *olist, QemuOpts *opts)
4065 {
4066     int i = 2;
4067     char *id;
4068 
4069     id = g_strdup("default");
4070     while (qemu_opts_find(olist, id)) {
4071         g_free(id);
4072         id = g_strdup_printf("vnc%d", i++);
4073     }
4074     qemu_opts_set_id(opts, id);
4075 }
4076 
4077 QemuOpts *vnc_parse(const char *str, Error **errp)
4078 {
4079     QemuOptsList *olist = qemu_find_opts("vnc");
4080     QemuOpts *opts = qemu_opts_parse(olist, str, true, errp);
4081     const char *id;
4082 
4083     if (!opts) {
4084         return NULL;
4085     }
4086 
4087     id = qemu_opts_id(opts);
4088     if (!id) {
4089         /* auto-assign id if not present */
4090         vnc_auto_assign_id(olist, opts);
4091     }
4092     return opts;
4093 }
4094 
4095 int vnc_init_func(void *opaque, QemuOpts *opts, Error **errp)
4096 {
4097     Error *local_err = NULL;
4098     char *id = (char *)qemu_opts_id(opts);
4099 
4100     assert(id);
4101     vnc_display_init(id, &local_err);
4102     if (local_err) {
4103         error_propagate(errp, local_err);
4104         return -1;
4105     }
4106     vnc_display_open(id, &local_err);
4107     if (local_err != NULL) {
4108         error_propagate(errp, local_err);
4109         return -1;
4110     }
4111     return 0;
4112 }
4113 
4114 static void vnc_register_config(void)
4115 {
4116     qemu_add_opts(&qemu_vnc_opts);
4117 }
4118 opts_init(vnc_register_config);
4119