xref: /openbmc/qemu/ui/vnc.c (revision e1fe50dc)
1 /*
2  * QEMU VNC display driver
3  *
4  * Copyright (C) 2006 Anthony Liguori <anthony@codemonkey.ws>
5  * Copyright (C) 2006 Fabrice Bellard
6  * Copyright (C) 2009 Red Hat, Inc
7  *
8  * Permission is hereby granted, free of charge, to any person obtaining a copy
9  * of this software and associated documentation files (the "Software"), to deal
10  * in the Software without restriction, including without limitation the rights
11  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
12  * copies of the Software, and to permit persons to whom the Software is
13  * furnished to do so, subject to the following conditions:
14  *
15  * The above copyright notice and this permission notice shall be included in
16  * all copies or substantial portions of the Software.
17  *
18  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
19  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
20  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
21  * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
22  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
23  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
24  * THE SOFTWARE.
25  */
26 
27 #include "vnc.h"
28 #include "vnc-jobs.h"
29 #include "sysemu/sysemu.h"
30 #include "qemu/sockets.h"
31 #include "qemu/timer.h"
32 #include "qemu/acl.h"
33 #include "qapi/qmp/types.h"
34 #include "qmp-commands.h"
35 #include "qemu/osdep.h"
36 
37 #define VNC_REFRESH_INTERVAL_BASE GUI_REFRESH_INTERVAL_DEFAULT
38 #define VNC_REFRESH_INTERVAL_INC  50
39 #define VNC_REFRESH_INTERVAL_MAX  GUI_REFRESH_INTERVAL_IDLE
40 static const struct timeval VNC_REFRESH_STATS = { 0, 500000 };
41 static const struct timeval VNC_REFRESH_LOSSY = { 2, 0 };
42 
43 #include "vnc_keysym.h"
44 #include "d3des.h"
45 
46 static VncDisplay *vnc_display; /* needed for info vnc */
47 
48 static int vnc_cursor_define(VncState *vs);
49 static void vnc_release_modifiers(VncState *vs);
50 
51 static void vnc_set_share_mode(VncState *vs, VncShareMode mode)
52 {
53 #ifdef _VNC_DEBUG
54     static const char *mn[] = {
55         [0]                           = "undefined",
56         [VNC_SHARE_MODE_CONNECTING]   = "connecting",
57         [VNC_SHARE_MODE_SHARED]       = "shared",
58         [VNC_SHARE_MODE_EXCLUSIVE]    = "exclusive",
59         [VNC_SHARE_MODE_DISCONNECTED] = "disconnected",
60     };
61     fprintf(stderr, "%s/%d: %s -> %s\n", __func__,
62             vs->csock, mn[vs->share_mode], mn[mode]);
63 #endif
64 
65     if (vs->share_mode == VNC_SHARE_MODE_EXCLUSIVE) {
66         vs->vd->num_exclusive--;
67     }
68     vs->share_mode = mode;
69     if (vs->share_mode == VNC_SHARE_MODE_EXCLUSIVE) {
70         vs->vd->num_exclusive++;
71     }
72 }
73 
74 static char *addr_to_string(const char *format,
75                             struct sockaddr_storage *sa,
76                             socklen_t salen) {
77     char *addr;
78     char host[NI_MAXHOST];
79     char serv[NI_MAXSERV];
80     int err;
81     size_t addrlen;
82 
83     if ((err = getnameinfo((struct sockaddr *)sa, salen,
84                            host, sizeof(host),
85                            serv, sizeof(serv),
86                            NI_NUMERICHOST | NI_NUMERICSERV)) != 0) {
87         VNC_DEBUG("Cannot resolve address %d: %s\n",
88                   err, gai_strerror(err));
89         return NULL;
90     }
91 
92     /* Enough for the existing format + the 2 vars we're
93      * substituting in. */
94     addrlen = strlen(format) + strlen(host) + strlen(serv);
95     addr = g_malloc(addrlen + 1);
96     snprintf(addr, addrlen, format, host, serv);
97     addr[addrlen] = '\0';
98 
99     return addr;
100 }
101 
102 
103 char *vnc_socket_local_addr(const char *format, int fd) {
104     struct sockaddr_storage sa;
105     socklen_t salen;
106 
107     salen = sizeof(sa);
108     if (getsockname(fd, (struct sockaddr*)&sa, &salen) < 0)
109         return NULL;
110 
111     return addr_to_string(format, &sa, salen);
112 }
113 
114 char *vnc_socket_remote_addr(const char *format, int fd) {
115     struct sockaddr_storage sa;
116     socklen_t salen;
117 
118     salen = sizeof(sa);
119     if (getpeername(fd, (struct sockaddr*)&sa, &salen) < 0)
120         return NULL;
121 
122     return addr_to_string(format, &sa, salen);
123 }
124 
125 static int put_addr_qdict(QDict *qdict, struct sockaddr_storage *sa,
126                           socklen_t salen)
127 {
128     char host[NI_MAXHOST];
129     char serv[NI_MAXSERV];
130     int err;
131 
132     if ((err = getnameinfo((struct sockaddr *)sa, salen,
133                            host, sizeof(host),
134                            serv, sizeof(serv),
135                            NI_NUMERICHOST | NI_NUMERICSERV)) != 0) {
136         VNC_DEBUG("Cannot resolve address %d: %s\n",
137                   err, gai_strerror(err));
138         return -1;
139     }
140 
141     qdict_put(qdict, "host", qstring_from_str(host));
142     qdict_put(qdict, "service", qstring_from_str(serv));
143     qdict_put(qdict, "family",qstring_from_str(inet_strfamily(sa->ss_family)));
144 
145     return 0;
146 }
147 
148 static int vnc_server_addr_put(QDict *qdict, int fd)
149 {
150     struct sockaddr_storage sa;
151     socklen_t salen;
152 
153     salen = sizeof(sa);
154     if (getsockname(fd, (struct sockaddr*)&sa, &salen) < 0) {
155         return -1;
156     }
157 
158     return put_addr_qdict(qdict, &sa, salen);
159 }
160 
161 static int vnc_qdict_remote_addr(QDict *qdict, int fd)
162 {
163     struct sockaddr_storage sa;
164     socklen_t salen;
165 
166     salen = sizeof(sa);
167     if (getpeername(fd, (struct sockaddr*)&sa, &salen) < 0) {
168         return -1;
169     }
170 
171     return put_addr_qdict(qdict, &sa, salen);
172 }
173 
174 static const char *vnc_auth_name(VncDisplay *vd) {
175     switch (vd->auth) {
176     case VNC_AUTH_INVALID:
177         return "invalid";
178     case VNC_AUTH_NONE:
179         return "none";
180     case VNC_AUTH_VNC:
181         return "vnc";
182     case VNC_AUTH_RA2:
183         return "ra2";
184     case VNC_AUTH_RA2NE:
185         return "ra2ne";
186     case VNC_AUTH_TIGHT:
187         return "tight";
188     case VNC_AUTH_ULTRA:
189         return "ultra";
190     case VNC_AUTH_TLS:
191         return "tls";
192     case VNC_AUTH_VENCRYPT:
193 #ifdef CONFIG_VNC_TLS
194         switch (vd->subauth) {
195         case VNC_AUTH_VENCRYPT_PLAIN:
196             return "vencrypt+plain";
197         case VNC_AUTH_VENCRYPT_TLSNONE:
198             return "vencrypt+tls+none";
199         case VNC_AUTH_VENCRYPT_TLSVNC:
200             return "vencrypt+tls+vnc";
201         case VNC_AUTH_VENCRYPT_TLSPLAIN:
202             return "vencrypt+tls+plain";
203         case VNC_AUTH_VENCRYPT_X509NONE:
204             return "vencrypt+x509+none";
205         case VNC_AUTH_VENCRYPT_X509VNC:
206             return "vencrypt+x509+vnc";
207         case VNC_AUTH_VENCRYPT_X509PLAIN:
208             return "vencrypt+x509+plain";
209         case VNC_AUTH_VENCRYPT_TLSSASL:
210             return "vencrypt+tls+sasl";
211         case VNC_AUTH_VENCRYPT_X509SASL:
212             return "vencrypt+x509+sasl";
213         default:
214             return "vencrypt";
215         }
216 #else
217         return "vencrypt";
218 #endif
219     case VNC_AUTH_SASL:
220         return "sasl";
221     }
222     return "unknown";
223 }
224 
225 static int vnc_server_info_put(QDict *qdict)
226 {
227     if (vnc_server_addr_put(qdict, vnc_display->lsock) < 0) {
228         return -1;
229     }
230 
231     qdict_put(qdict, "auth", qstring_from_str(vnc_auth_name(vnc_display)));
232     return 0;
233 }
234 
235 static void vnc_client_cache_auth(VncState *client)
236 {
237 #if defined(CONFIG_VNC_TLS) || defined(CONFIG_VNC_SASL)
238     QDict *qdict;
239 #endif
240 
241     if (!client->info) {
242         return;
243     }
244 
245 #if defined(CONFIG_VNC_TLS) || defined(CONFIG_VNC_SASL)
246     qdict = qobject_to_qdict(client->info);
247 #endif
248 
249 #ifdef CONFIG_VNC_TLS
250     if (client->tls.session &&
251         client->tls.dname) {
252         qdict_put(qdict, "x509_dname", qstring_from_str(client->tls.dname));
253     }
254 #endif
255 #ifdef CONFIG_VNC_SASL
256     if (client->sasl.conn &&
257         client->sasl.username) {
258         qdict_put(qdict, "sasl_username",
259                   qstring_from_str(client->sasl.username));
260     }
261 #endif
262 }
263 
264 static void vnc_client_cache_addr(VncState *client)
265 {
266     QDict *qdict;
267 
268     qdict = qdict_new();
269     if (vnc_qdict_remote_addr(qdict, client->csock) < 0) {
270         QDECREF(qdict);
271         /* XXX: how to report the error? */
272         return;
273     }
274 
275     client->info = QOBJECT(qdict);
276 }
277 
278 static void vnc_qmp_event(VncState *vs, MonitorEvent event)
279 {
280     QDict *server;
281     QObject *data;
282 
283     if (!vs->info) {
284         return;
285     }
286 
287     server = qdict_new();
288     if (vnc_server_info_put(server) < 0) {
289         QDECREF(server);
290         return;
291     }
292 
293     data = qobject_from_jsonf("{ 'client': %p, 'server': %p }",
294                               vs->info, QOBJECT(server));
295 
296     monitor_protocol_event(event, data);
297 
298     qobject_incref(vs->info);
299     qobject_decref(data);
300 }
301 
302 static VncClientInfo *qmp_query_vnc_client(const VncState *client)
303 {
304     struct sockaddr_storage sa;
305     socklen_t salen = sizeof(sa);
306     char host[NI_MAXHOST];
307     char serv[NI_MAXSERV];
308     VncClientInfo *info;
309 
310     if (getpeername(client->csock, (struct sockaddr *)&sa, &salen) < 0) {
311         return NULL;
312     }
313 
314     if (getnameinfo((struct sockaddr *)&sa, salen,
315                     host, sizeof(host),
316                     serv, sizeof(serv),
317                     NI_NUMERICHOST | NI_NUMERICSERV) < 0) {
318         return NULL;
319     }
320 
321     info = g_malloc0(sizeof(*info));
322     info->host = g_strdup(host);
323     info->service = g_strdup(serv);
324     info->family = g_strdup(inet_strfamily(sa.ss_family));
325 
326 #ifdef CONFIG_VNC_TLS
327     if (client->tls.session && client->tls.dname) {
328         info->has_x509_dname = true;
329         info->x509_dname = g_strdup(client->tls.dname);
330     }
331 #endif
332 #ifdef CONFIG_VNC_SASL
333     if (client->sasl.conn && client->sasl.username) {
334         info->has_sasl_username = true;
335         info->sasl_username = g_strdup(client->sasl.username);
336     }
337 #endif
338 
339     return info;
340 }
341 
342 VncInfo *qmp_query_vnc(Error **errp)
343 {
344     VncInfo *info = g_malloc0(sizeof(*info));
345 
346     if (vnc_display == NULL || vnc_display->display == NULL) {
347         info->enabled = false;
348     } else {
349         VncClientInfoList *cur_item = NULL;
350         struct sockaddr_storage sa;
351         socklen_t salen = sizeof(sa);
352         char host[NI_MAXHOST];
353         char serv[NI_MAXSERV];
354         VncState *client;
355 
356         info->enabled = true;
357 
358         /* for compatibility with the original command */
359         info->has_clients = true;
360 
361         QTAILQ_FOREACH(client, &vnc_display->clients, next) {
362             VncClientInfoList *cinfo = g_malloc0(sizeof(*info));
363             cinfo->value = qmp_query_vnc_client(client);
364 
365             /* XXX: waiting for the qapi to support GSList */
366             if (!cur_item) {
367                 info->clients = cur_item = cinfo;
368             } else {
369                 cur_item->next = cinfo;
370                 cur_item = cinfo;
371             }
372         }
373 
374         if (vnc_display->lsock == -1) {
375             return info;
376         }
377 
378         if (getsockname(vnc_display->lsock, (struct sockaddr *)&sa,
379                         &salen) == -1) {
380             error_set(errp, QERR_UNDEFINED_ERROR);
381             goto out_error;
382         }
383 
384         if (getnameinfo((struct sockaddr *)&sa, salen,
385                         host, sizeof(host),
386                         serv, sizeof(serv),
387                         NI_NUMERICHOST | NI_NUMERICSERV) < 0) {
388             error_set(errp, QERR_UNDEFINED_ERROR);
389             goto out_error;
390         }
391 
392         info->has_host = true;
393         info->host = g_strdup(host);
394 
395         info->has_service = true;
396         info->service = g_strdup(serv);
397 
398         info->has_family = true;
399         info->family = g_strdup(inet_strfamily(sa.ss_family));
400 
401         info->has_auth = true;
402         info->auth = g_strdup(vnc_auth_name(vnc_display));
403     }
404 
405     return info;
406 
407 out_error:
408     qapi_free_VncInfo(info);
409     return NULL;
410 }
411 
412 /* TODO
413    1) Get the queue working for IO.
414    2) there is some weirdness when using the -S option (the screen is grey
415       and not totally invalidated
416    3) resolutions > 1024
417 */
418 
419 static int vnc_update_client(VncState *vs, int has_dirty);
420 static int vnc_update_client_sync(VncState *vs, int has_dirty);
421 static void vnc_disconnect_start(VncState *vs);
422 
423 static void vnc_colordepth(VncState *vs);
424 static void framebuffer_update_request(VncState *vs, int incremental,
425                                        int x_position, int y_position,
426                                        int w, int h);
427 static void vnc_refresh(DisplayChangeListener *dcl);
428 static int vnc_refresh_server_surface(VncDisplay *vd);
429 
430 static void vnc_dpy_update(DisplayChangeListener *dcl,
431                            int x, int y, int w, int h)
432 {
433     int i;
434     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
435     struct VncSurface *s = &vd->guest;
436     int width = surface_width(vd->ds);
437     int height = surface_height(vd->ds);
438 
439     h += y;
440 
441     /* round x down to ensure the loop only spans one 16-pixel block per,
442        iteration.  otherwise, if (x % 16) != 0, the last iteration may span
443        two 16-pixel blocks but we only mark the first as dirty
444     */
445     w += (x % 16);
446     x -= (x % 16);
447 
448     x = MIN(x, width);
449     y = MIN(y, height);
450     w = MIN(x + w, width) - x;
451     h = MIN(h, height);
452 
453     for (; y < h; y++)
454         for (i = 0; i < w; i += 16)
455             set_bit((x + i) / 16, s->dirty[y]);
456 }
457 
458 void vnc_framebuffer_update(VncState *vs, int x, int y, int w, int h,
459                             int32_t encoding)
460 {
461     vnc_write_u16(vs, x);
462     vnc_write_u16(vs, y);
463     vnc_write_u16(vs, w);
464     vnc_write_u16(vs, h);
465 
466     vnc_write_s32(vs, encoding);
467 }
468 
469 void buffer_reserve(Buffer *buffer, size_t len)
470 {
471     if ((buffer->capacity - buffer->offset) < len) {
472         buffer->capacity += (len + 1024);
473         buffer->buffer = g_realloc(buffer->buffer, buffer->capacity);
474         if (buffer->buffer == NULL) {
475             fprintf(stderr, "vnc: out of memory\n");
476             exit(1);
477         }
478     }
479 }
480 
481 static int buffer_empty(Buffer *buffer)
482 {
483     return buffer->offset == 0;
484 }
485 
486 uint8_t *buffer_end(Buffer *buffer)
487 {
488     return buffer->buffer + buffer->offset;
489 }
490 
491 void buffer_reset(Buffer *buffer)
492 {
493         buffer->offset = 0;
494 }
495 
496 void buffer_free(Buffer *buffer)
497 {
498     g_free(buffer->buffer);
499     buffer->offset = 0;
500     buffer->capacity = 0;
501     buffer->buffer = NULL;
502 }
503 
504 void buffer_append(Buffer *buffer, const void *data, size_t len)
505 {
506     memcpy(buffer->buffer + buffer->offset, data, len);
507     buffer->offset += len;
508 }
509 
510 void buffer_advance(Buffer *buf, size_t len)
511 {
512     memmove(buf->buffer, buf->buffer + len,
513             (buf->offset - len));
514     buf->offset -= len;
515 }
516 
517 static void vnc_desktop_resize(VncState *vs)
518 {
519     DisplaySurface *ds = vs->vd->ds;
520 
521     if (vs->csock == -1 || !vnc_has_feature(vs, VNC_FEATURE_RESIZE)) {
522         return;
523     }
524     if (vs->client_width == surface_width(ds) &&
525         vs->client_height == surface_height(ds)) {
526         return;
527     }
528     vs->client_width = surface_width(ds);
529     vs->client_height = surface_height(ds);
530     vnc_lock_output(vs);
531     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
532     vnc_write_u8(vs, 0);
533     vnc_write_u16(vs, 1); /* number of rects */
534     vnc_framebuffer_update(vs, 0, 0, vs->client_width, vs->client_height,
535                            VNC_ENCODING_DESKTOPRESIZE);
536     vnc_unlock_output(vs);
537     vnc_flush(vs);
538 }
539 
540 static void vnc_abort_display_jobs(VncDisplay *vd)
541 {
542     VncState *vs;
543 
544     QTAILQ_FOREACH(vs, &vd->clients, next) {
545         vnc_lock_output(vs);
546         vs->abort = true;
547         vnc_unlock_output(vs);
548     }
549     QTAILQ_FOREACH(vs, &vd->clients, next) {
550         vnc_jobs_join(vs);
551     }
552     QTAILQ_FOREACH(vs, &vd->clients, next) {
553         vnc_lock_output(vs);
554         vs->abort = false;
555         vnc_unlock_output(vs);
556     }
557 }
558 
559 int vnc_server_fb_stride(VncDisplay *vd)
560 {
561     return pixman_image_get_stride(vd->server);
562 }
563 
564 void *vnc_server_fb_ptr(VncDisplay *vd, int x, int y)
565 {
566     uint8_t *ptr;
567 
568     ptr  = (uint8_t *)pixman_image_get_data(vd->server);
569     ptr += y * vnc_server_fb_stride(vd);
570     ptr += x * VNC_SERVER_FB_BYTES;
571     return ptr;
572 }
573 
574 static void vnc_dpy_switch(DisplayChangeListener *dcl,
575                            DisplaySurface *surface)
576 {
577     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
578     VncState *vs;
579 
580     vnc_abort_display_jobs(vd);
581 
582     /* server surface */
583     qemu_pixman_image_unref(vd->server);
584     vd->ds = surface;
585     vd->server = pixman_image_create_bits(VNC_SERVER_FB_FORMAT,
586                                           surface_width(vd->ds),
587                                           surface_height(vd->ds),
588                                           NULL, 0);
589 
590     /* guest surface */
591 #if 0 /* FIXME */
592     if (ds_get_bytes_per_pixel(ds) != vd->guest.ds->pf.bytes_per_pixel)
593         console_color_init(ds);
594 #endif
595     qemu_pixman_image_unref(vd->guest.fb);
596     vd->guest.fb = pixman_image_ref(surface->image);
597     vd->guest.format = surface->format;
598     memset(vd->guest.dirty, 0xFF, sizeof(vd->guest.dirty));
599 
600     QTAILQ_FOREACH(vs, &vd->clients, next) {
601         vnc_colordepth(vs);
602         vnc_desktop_resize(vs);
603         if (vs->vd->cursor) {
604             vnc_cursor_define(vs);
605         }
606         memset(vs->dirty, 0xFF, sizeof(vs->dirty));
607     }
608 }
609 
610 /* fastest code */
611 static void vnc_write_pixels_copy(VncState *vs,
612                                   void *pixels, int size)
613 {
614     vnc_write(vs, pixels, size);
615 }
616 
617 /* slowest but generic code. */
618 void vnc_convert_pixel(VncState *vs, uint8_t *buf, uint32_t v)
619 {
620     uint8_t r, g, b;
621 
622 #if VNC_SERVER_FB_FORMAT == PIXMAN_FORMAT(32, PIXMAN_TYPE_ARGB, 0, 8, 8, 8)
623     r = (((v & 0x00ff0000) >> 16) << vs->client_pf.rbits) >> 8;
624     g = (((v & 0x0000ff00) >>  8) << vs->client_pf.gbits) >> 8;
625     b = (((v & 0x000000ff) >>  0) << vs->client_pf.bbits) >> 8;
626 #else
627 # error need some bits here if you change VNC_SERVER_FB_FORMAT
628 #endif
629     v = (r << vs->client_pf.rshift) |
630         (g << vs->client_pf.gshift) |
631         (b << vs->client_pf.bshift);
632     switch (vs->client_pf.bytes_per_pixel) {
633     case 1:
634         buf[0] = v;
635         break;
636     case 2:
637         if (vs->client_be) {
638             buf[0] = v >> 8;
639             buf[1] = v;
640         } else {
641             buf[1] = v >> 8;
642             buf[0] = v;
643         }
644         break;
645     default:
646     case 4:
647         if (vs->client_be) {
648             buf[0] = v >> 24;
649             buf[1] = v >> 16;
650             buf[2] = v >> 8;
651             buf[3] = v;
652         } else {
653             buf[3] = v >> 24;
654             buf[2] = v >> 16;
655             buf[1] = v >> 8;
656             buf[0] = v;
657         }
658         break;
659     }
660 }
661 
662 static void vnc_write_pixels_generic(VncState *vs,
663                                      void *pixels1, int size)
664 {
665     uint8_t buf[4];
666 
667     if (VNC_SERVER_FB_BYTES == 4) {
668         uint32_t *pixels = pixels1;
669         int n, i;
670         n = size >> 2;
671         for (i = 0; i < n; i++) {
672             vnc_convert_pixel(vs, buf, pixels[i]);
673             vnc_write(vs, buf, vs->client_pf.bytes_per_pixel);
674         }
675     }
676 }
677 
678 int vnc_raw_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
679 {
680     int i;
681     uint8_t *row;
682     VncDisplay *vd = vs->vd;
683 
684     row = vnc_server_fb_ptr(vd, x, y);
685     for (i = 0; i < h; i++) {
686         vs->write_pixels(vs, row, w * VNC_SERVER_FB_BYTES);
687         row += vnc_server_fb_stride(vd);
688     }
689     return 1;
690 }
691 
692 int vnc_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
693 {
694     int n = 0;
695 
696     switch(vs->vnc_encoding) {
697         case VNC_ENCODING_ZLIB:
698             n = vnc_zlib_send_framebuffer_update(vs, x, y, w, h);
699             break;
700         case VNC_ENCODING_HEXTILE:
701             vnc_framebuffer_update(vs, x, y, w, h, VNC_ENCODING_HEXTILE);
702             n = vnc_hextile_send_framebuffer_update(vs, x, y, w, h);
703             break;
704         case VNC_ENCODING_TIGHT:
705             n = vnc_tight_send_framebuffer_update(vs, x, y, w, h);
706             break;
707         case VNC_ENCODING_TIGHT_PNG:
708             n = vnc_tight_png_send_framebuffer_update(vs, x, y, w, h);
709             break;
710         case VNC_ENCODING_ZRLE:
711             n = vnc_zrle_send_framebuffer_update(vs, x, y, w, h);
712             break;
713         case VNC_ENCODING_ZYWRLE:
714             n = vnc_zywrle_send_framebuffer_update(vs, x, y, w, h);
715             break;
716         default:
717             vnc_framebuffer_update(vs, x, y, w, h, VNC_ENCODING_RAW);
718             n = vnc_raw_send_framebuffer_update(vs, x, y, w, h);
719             break;
720     }
721     return n;
722 }
723 
724 static void vnc_copy(VncState *vs, int src_x, int src_y, int dst_x, int dst_y, int w, int h)
725 {
726     /* send bitblit op to the vnc client */
727     vnc_lock_output(vs);
728     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
729     vnc_write_u8(vs, 0);
730     vnc_write_u16(vs, 1); /* number of rects */
731     vnc_framebuffer_update(vs, dst_x, dst_y, w, h, VNC_ENCODING_COPYRECT);
732     vnc_write_u16(vs, src_x);
733     vnc_write_u16(vs, src_y);
734     vnc_unlock_output(vs);
735     vnc_flush(vs);
736 }
737 
738 static void vnc_dpy_copy(DisplayChangeListener *dcl,
739                          int src_x, int src_y,
740                          int dst_x, int dst_y, int w, int h)
741 {
742     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
743     VncState *vs, *vn;
744     uint8_t *src_row;
745     uint8_t *dst_row;
746     int i, x, y, pitch, inc, w_lim, s;
747     int cmp_bytes;
748 
749     vnc_refresh_server_surface(vd);
750     QTAILQ_FOREACH_SAFE(vs, &vd->clients, next, vn) {
751         if (vnc_has_feature(vs, VNC_FEATURE_COPYRECT)) {
752             vs->force_update = 1;
753             vnc_update_client_sync(vs, 1);
754             /* vs might be free()ed here */
755         }
756     }
757 
758     /* do bitblit op on the local surface too */
759     pitch = vnc_server_fb_stride(vd);
760     src_row = vnc_server_fb_ptr(vd, src_x, src_y);
761     dst_row = vnc_server_fb_ptr(vd, dst_x, dst_y);
762     y = dst_y;
763     inc = 1;
764     if (dst_y > src_y) {
765         /* copy backwards */
766         src_row += pitch * (h-1);
767         dst_row += pitch * (h-1);
768         pitch = -pitch;
769         y = dst_y + h - 1;
770         inc = -1;
771     }
772     w_lim = w - (16 - (dst_x % 16));
773     if (w_lim < 0)
774         w_lim = w;
775     else
776         w_lim = w - (w_lim % 16);
777     for (i = 0; i < h; i++) {
778         for (x = 0; x <= w_lim;
779                 x += s, src_row += cmp_bytes, dst_row += cmp_bytes) {
780             if (x == w_lim) {
781                 if ((s = w - w_lim) == 0)
782                     break;
783             } else if (!x) {
784                 s = (16 - (dst_x % 16));
785                 s = MIN(s, w_lim);
786             } else {
787                 s = 16;
788             }
789             cmp_bytes = s * VNC_SERVER_FB_BYTES;
790             if (memcmp(src_row, dst_row, cmp_bytes) == 0)
791                 continue;
792             memmove(dst_row, src_row, cmp_bytes);
793             QTAILQ_FOREACH(vs, &vd->clients, next) {
794                 if (!vnc_has_feature(vs, VNC_FEATURE_COPYRECT)) {
795                     set_bit(((x + dst_x) / 16), vs->dirty[y]);
796                 }
797             }
798         }
799         src_row += pitch - w * VNC_SERVER_FB_BYTES;
800         dst_row += pitch - w * VNC_SERVER_FB_BYTES;
801         y += inc;
802     }
803 
804     QTAILQ_FOREACH(vs, &vd->clients, next) {
805         if (vnc_has_feature(vs, VNC_FEATURE_COPYRECT)) {
806             vnc_copy(vs, src_x, src_y, dst_x, dst_y, w, h);
807         }
808     }
809 }
810 
811 static void vnc_mouse_set(DisplayChangeListener *dcl,
812                           int x, int y, int visible)
813 {
814     /* can we ask the client(s) to move the pointer ??? */
815 }
816 
817 static int vnc_cursor_define(VncState *vs)
818 {
819     QEMUCursor *c = vs->vd->cursor;
820     int isize;
821 
822     if (vnc_has_feature(vs, VNC_FEATURE_RICH_CURSOR)) {
823         vnc_lock_output(vs);
824         vnc_write_u8(vs,  VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
825         vnc_write_u8(vs,  0);  /*  padding     */
826         vnc_write_u16(vs, 1);  /*  # of rects  */
827         vnc_framebuffer_update(vs, c->hot_x, c->hot_y, c->width, c->height,
828                                VNC_ENCODING_RICH_CURSOR);
829         isize = c->width * c->height * vs->client_pf.bytes_per_pixel;
830         vnc_write_pixels_generic(vs, c->data, isize);
831         vnc_write(vs, vs->vd->cursor_mask, vs->vd->cursor_msize);
832         vnc_unlock_output(vs);
833         return 0;
834     }
835     return -1;
836 }
837 
838 static void vnc_dpy_cursor_define(DisplayChangeListener *dcl,
839                                   QEMUCursor *c)
840 {
841     VncDisplay *vd = vnc_display;
842     VncState *vs;
843 
844     cursor_put(vd->cursor);
845     g_free(vd->cursor_mask);
846 
847     vd->cursor = c;
848     cursor_get(vd->cursor);
849     vd->cursor_msize = cursor_get_mono_bpl(c) * c->height;
850     vd->cursor_mask = g_malloc0(vd->cursor_msize);
851     cursor_get_mono_mask(c, 0, vd->cursor_mask);
852 
853     QTAILQ_FOREACH(vs, &vd->clients, next) {
854         vnc_cursor_define(vs);
855     }
856 }
857 
858 static int find_and_clear_dirty_height(struct VncState *vs,
859                                        int y, int last_x, int x, int height)
860 {
861     int h;
862 
863     for (h = 1; h < (height - y); h++) {
864         int tmp_x;
865         if (!test_bit(last_x, vs->dirty[y + h])) {
866             break;
867         }
868         for (tmp_x = last_x; tmp_x < x; tmp_x++) {
869             clear_bit(tmp_x, vs->dirty[y + h]);
870         }
871     }
872 
873     return h;
874 }
875 
876 static int vnc_update_client_sync(VncState *vs, int has_dirty)
877 {
878     int ret = vnc_update_client(vs, has_dirty);
879     vnc_jobs_join(vs);
880     return ret;
881 }
882 
883 static int vnc_update_client(VncState *vs, int has_dirty)
884 {
885     if (vs->need_update && vs->csock != -1) {
886         VncDisplay *vd = vs->vd;
887         VncJob *job;
888         int y;
889         int width, height;
890         int n = 0;
891 
892 
893         if (vs->output.offset && !vs->audio_cap && !vs->force_update)
894             /* kernel send buffers are full -> drop frames to throttle */
895             return 0;
896 
897         if (!has_dirty && !vs->audio_cap && !vs->force_update)
898             return 0;
899 
900         /*
901          * Send screen updates to the vnc client using the server
902          * surface and server dirty map.  guest surface updates
903          * happening in parallel don't disturb us, the next pass will
904          * send them to the client.
905          */
906         job = vnc_job_new(vs);
907 
908         width = MIN(pixman_image_get_width(vd->server), vs->client_width);
909         height = MIN(pixman_image_get_height(vd->server), vs->client_height);
910 
911         for (y = 0; y < height; y++) {
912             int x;
913             int last_x = -1;
914             for (x = 0; x < width / 16; x++) {
915                 if (test_and_clear_bit(x, vs->dirty[y])) {
916                     if (last_x == -1) {
917                         last_x = x;
918                     }
919                 } else {
920                     if (last_x != -1) {
921                         int h = find_and_clear_dirty_height(vs, y, last_x, x,
922                                                             height);
923 
924                         n += vnc_job_add_rect(job, last_x * 16, y,
925                                               (x - last_x) * 16, h);
926                     }
927                     last_x = -1;
928                 }
929             }
930             if (last_x != -1) {
931                 int h = find_and_clear_dirty_height(vs, y, last_x, x, height);
932                 n += vnc_job_add_rect(job, last_x * 16, y,
933                                       (x - last_x) * 16, h);
934             }
935         }
936 
937         vnc_job_push(job);
938         vs->force_update = 0;
939         return n;
940     }
941 
942     if (vs->csock == -1)
943         vnc_disconnect_finish(vs);
944 
945     return 0;
946 }
947 
948 /* audio */
949 static void audio_capture_notify(void *opaque, audcnotification_e cmd)
950 {
951     VncState *vs = opaque;
952 
953     switch (cmd) {
954     case AUD_CNOTIFY_DISABLE:
955         vnc_lock_output(vs);
956         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
957         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
958         vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_END);
959         vnc_unlock_output(vs);
960         vnc_flush(vs);
961         break;
962 
963     case AUD_CNOTIFY_ENABLE:
964         vnc_lock_output(vs);
965         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
966         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
967         vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_BEGIN);
968         vnc_unlock_output(vs);
969         vnc_flush(vs);
970         break;
971     }
972 }
973 
974 static void audio_capture_destroy(void *opaque)
975 {
976 }
977 
978 static void audio_capture(void *opaque, void *buf, int size)
979 {
980     VncState *vs = opaque;
981 
982     vnc_lock_output(vs);
983     vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
984     vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
985     vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_DATA);
986     vnc_write_u32(vs, size);
987     vnc_write(vs, buf, size);
988     vnc_unlock_output(vs);
989     vnc_flush(vs);
990 }
991 
992 static void audio_add(VncState *vs)
993 {
994     struct audio_capture_ops ops;
995 
996     if (vs->audio_cap) {
997         monitor_printf(default_mon, "audio already running\n");
998         return;
999     }
1000 
1001     ops.notify = audio_capture_notify;
1002     ops.destroy = audio_capture_destroy;
1003     ops.capture = audio_capture;
1004 
1005     vs->audio_cap = AUD_add_capture(&vs->as, &ops, vs);
1006     if (!vs->audio_cap) {
1007         monitor_printf(default_mon, "Failed to add audio capture\n");
1008     }
1009 }
1010 
1011 static void audio_del(VncState *vs)
1012 {
1013     if (vs->audio_cap) {
1014         AUD_del_capture(vs->audio_cap, vs);
1015         vs->audio_cap = NULL;
1016     }
1017 }
1018 
1019 static void vnc_disconnect_start(VncState *vs)
1020 {
1021     if (vs->csock == -1)
1022         return;
1023     vnc_set_share_mode(vs, VNC_SHARE_MODE_DISCONNECTED);
1024     qemu_set_fd_handler2(vs->csock, NULL, NULL, NULL, NULL);
1025     closesocket(vs->csock);
1026     vs->csock = -1;
1027 }
1028 
1029 void vnc_disconnect_finish(VncState *vs)
1030 {
1031     int i;
1032 
1033     vnc_jobs_join(vs); /* Wait encoding jobs */
1034 
1035     vnc_lock_output(vs);
1036     vnc_qmp_event(vs, QEVENT_VNC_DISCONNECTED);
1037 
1038     buffer_free(&vs->input);
1039     buffer_free(&vs->output);
1040 #ifdef CONFIG_VNC_WS
1041     buffer_free(&vs->ws_input);
1042     buffer_free(&vs->ws_output);
1043 #endif /* CONFIG_VNC_WS */
1044 
1045     qobject_decref(vs->info);
1046 
1047     vnc_zlib_clear(vs);
1048     vnc_tight_clear(vs);
1049     vnc_zrle_clear(vs);
1050 
1051 #ifdef CONFIG_VNC_TLS
1052     vnc_tls_client_cleanup(vs);
1053 #endif /* CONFIG_VNC_TLS */
1054 #ifdef CONFIG_VNC_SASL
1055     vnc_sasl_client_cleanup(vs);
1056 #endif /* CONFIG_VNC_SASL */
1057     audio_del(vs);
1058     vnc_release_modifiers(vs);
1059 
1060     if (vs->initialized) {
1061         QTAILQ_REMOVE(&vs->vd->clients, vs, next);
1062         qemu_remove_mouse_mode_change_notifier(&vs->mouse_mode_notifier);
1063     }
1064 
1065     if (vs->vd->lock_key_sync)
1066         qemu_remove_led_event_handler(vs->led);
1067     vnc_unlock_output(vs);
1068 
1069     qemu_mutex_destroy(&vs->output_mutex);
1070     if (vs->bh != NULL) {
1071         qemu_bh_delete(vs->bh);
1072     }
1073     buffer_free(&vs->jobs_buffer);
1074 
1075     for (i = 0; i < VNC_STAT_ROWS; ++i) {
1076         g_free(vs->lossy_rect[i]);
1077     }
1078     g_free(vs->lossy_rect);
1079     g_free(vs);
1080 }
1081 
1082 int vnc_client_io_error(VncState *vs, int ret, int last_errno)
1083 {
1084     if (ret == 0 || ret == -1) {
1085         if (ret == -1) {
1086             switch (last_errno) {
1087                 case EINTR:
1088                 case EAGAIN:
1089 #ifdef _WIN32
1090                 case WSAEWOULDBLOCK:
1091 #endif
1092                     return 0;
1093                 default:
1094                     break;
1095             }
1096         }
1097 
1098         VNC_DEBUG("Closing down client sock: ret %d, errno %d\n",
1099                   ret, ret < 0 ? last_errno : 0);
1100         vnc_disconnect_start(vs);
1101 
1102         return 0;
1103     }
1104     return ret;
1105 }
1106 
1107 
1108 void vnc_client_error(VncState *vs)
1109 {
1110     VNC_DEBUG("Closing down client sock: protocol error\n");
1111     vnc_disconnect_start(vs);
1112 }
1113 
1114 
1115 /*
1116  * Called to write a chunk of data to the client socket. The data may
1117  * be the raw data, or may have already been encoded by SASL.
1118  * The data will be written either straight onto the socket, or
1119  * written via the GNUTLS wrappers, if TLS/SSL encryption is enabled
1120  *
1121  * NB, it is theoretically possible to have 2 layers of encryption,
1122  * both SASL, and this TLS layer. It is highly unlikely in practice
1123  * though, since SASL encryption will typically be a no-op if TLS
1124  * is active
1125  *
1126  * Returns the number of bytes written, which may be less than
1127  * the requested 'datalen' if the socket would block. Returns
1128  * -1 on error, and disconnects the client socket.
1129  */
1130 long vnc_client_write_buf(VncState *vs, const uint8_t *data, size_t datalen)
1131 {
1132     long ret;
1133 #ifdef CONFIG_VNC_TLS
1134     if (vs->tls.session) {
1135         ret = gnutls_write(vs->tls.session, data, datalen);
1136         if (ret < 0) {
1137             if (ret == GNUTLS_E_AGAIN)
1138                 errno = EAGAIN;
1139             else
1140                 errno = EIO;
1141             ret = -1;
1142         }
1143     } else
1144 #endif /* CONFIG_VNC_TLS */
1145         ret = send(vs->csock, (const void *)data, datalen, 0);
1146     VNC_DEBUG("Wrote wire %p %zd -> %ld\n", data, datalen, ret);
1147     return vnc_client_io_error(vs, ret, socket_error());
1148 }
1149 
1150 
1151 /*
1152  * Called to write buffered data to the client socket, when not
1153  * using any SASL SSF encryption layers. Will write as much data
1154  * as possible without blocking. If all buffered data is written,
1155  * will switch the FD poll() handler back to read monitoring.
1156  *
1157  * Returns the number of bytes written, which may be less than
1158  * the buffered output data if the socket would block. Returns
1159  * -1 on error, and disconnects the client socket.
1160  */
1161 static long vnc_client_write_plain(VncState *vs)
1162 {
1163     long ret;
1164 
1165 #ifdef CONFIG_VNC_SASL
1166     VNC_DEBUG("Write Plain: Pending output %p size %zd offset %zd. Wait SSF %d\n",
1167               vs->output.buffer, vs->output.capacity, vs->output.offset,
1168               vs->sasl.waitWriteSSF);
1169 
1170     if (vs->sasl.conn &&
1171         vs->sasl.runSSF &&
1172         vs->sasl.waitWriteSSF) {
1173         ret = vnc_client_write_buf(vs, vs->output.buffer, vs->sasl.waitWriteSSF);
1174         if (ret)
1175             vs->sasl.waitWriteSSF -= ret;
1176     } else
1177 #endif /* CONFIG_VNC_SASL */
1178         ret = vnc_client_write_buf(vs, vs->output.buffer, vs->output.offset);
1179     if (!ret)
1180         return 0;
1181 
1182     buffer_advance(&vs->output, ret);
1183 
1184     if (vs->output.offset == 0) {
1185         qemu_set_fd_handler2(vs->csock, NULL, vnc_client_read, NULL, vs);
1186     }
1187 
1188     return ret;
1189 }
1190 
1191 
1192 /*
1193  * First function called whenever there is data to be written to
1194  * the client socket. Will delegate actual work according to whether
1195  * SASL SSF layers are enabled (thus requiring encryption calls)
1196  */
1197 static void vnc_client_write_locked(void *opaque)
1198 {
1199     VncState *vs = opaque;
1200 
1201 #ifdef CONFIG_VNC_SASL
1202     if (vs->sasl.conn &&
1203         vs->sasl.runSSF &&
1204         !vs->sasl.waitWriteSSF) {
1205         vnc_client_write_sasl(vs);
1206     } else
1207 #endif /* CONFIG_VNC_SASL */
1208     {
1209 #ifdef CONFIG_VNC_WS
1210         if (vs->encode_ws) {
1211             vnc_client_write_ws(vs);
1212         } else
1213 #endif /* CONFIG_VNC_WS */
1214         {
1215             vnc_client_write_plain(vs);
1216         }
1217     }
1218 }
1219 
1220 void vnc_client_write(void *opaque)
1221 {
1222     VncState *vs = opaque;
1223 
1224     vnc_lock_output(vs);
1225     if (vs->output.offset
1226 #ifdef CONFIG_VNC_WS
1227             || vs->ws_output.offset
1228 #endif
1229             ) {
1230         vnc_client_write_locked(opaque);
1231     } else if (vs->csock != -1) {
1232         qemu_set_fd_handler2(vs->csock, NULL, vnc_client_read, NULL, vs);
1233     }
1234     vnc_unlock_output(vs);
1235 }
1236 
1237 void vnc_read_when(VncState *vs, VncReadEvent *func, size_t expecting)
1238 {
1239     vs->read_handler = func;
1240     vs->read_handler_expect = expecting;
1241 }
1242 
1243 
1244 /*
1245  * Called to read a chunk of data from the client socket. The data may
1246  * be the raw data, or may need to be further decoded by SASL.
1247  * The data will be read either straight from to the socket, or
1248  * read via the GNUTLS wrappers, if TLS/SSL encryption is enabled
1249  *
1250  * NB, it is theoretically possible to have 2 layers of encryption,
1251  * both SASL, and this TLS layer. It is highly unlikely in practice
1252  * though, since SASL encryption will typically be a no-op if TLS
1253  * is active
1254  *
1255  * Returns the number of bytes read, which may be less than
1256  * the requested 'datalen' if the socket would block. Returns
1257  * -1 on error, and disconnects the client socket.
1258  */
1259 long vnc_client_read_buf(VncState *vs, uint8_t *data, size_t datalen)
1260 {
1261     long ret;
1262 #ifdef CONFIG_VNC_TLS
1263     if (vs->tls.session) {
1264         ret = gnutls_read(vs->tls.session, data, datalen);
1265         if (ret < 0) {
1266             if (ret == GNUTLS_E_AGAIN)
1267                 errno = EAGAIN;
1268             else
1269                 errno = EIO;
1270             ret = -1;
1271         }
1272     } else
1273 #endif /* CONFIG_VNC_TLS */
1274         ret = qemu_recv(vs->csock, data, datalen, 0);
1275     VNC_DEBUG("Read wire %p %zd -> %ld\n", data, datalen, ret);
1276     return vnc_client_io_error(vs, ret, socket_error());
1277 }
1278 
1279 
1280 /*
1281  * Called to read data from the client socket to the input buffer,
1282  * when not using any SASL SSF encryption layers. Will read as much
1283  * data as possible without blocking.
1284  *
1285  * Returns the number of bytes read. Returns -1 on error, and
1286  * disconnects the client socket.
1287  */
1288 static long vnc_client_read_plain(VncState *vs)
1289 {
1290     int ret;
1291     VNC_DEBUG("Read plain %p size %zd offset %zd\n",
1292               vs->input.buffer, vs->input.capacity, vs->input.offset);
1293     buffer_reserve(&vs->input, 4096);
1294     ret = vnc_client_read_buf(vs, buffer_end(&vs->input), 4096);
1295     if (!ret)
1296         return 0;
1297     vs->input.offset += ret;
1298     return ret;
1299 }
1300 
1301 static void vnc_jobs_bh(void *opaque)
1302 {
1303     VncState *vs = opaque;
1304 
1305     vnc_jobs_consume_buffer(vs);
1306 }
1307 
1308 /*
1309  * First function called whenever there is more data to be read from
1310  * the client socket. Will delegate actual work according to whether
1311  * SASL SSF layers are enabled (thus requiring decryption calls)
1312  */
1313 void vnc_client_read(void *opaque)
1314 {
1315     VncState *vs = opaque;
1316     long ret;
1317 
1318 #ifdef CONFIG_VNC_SASL
1319     if (vs->sasl.conn && vs->sasl.runSSF)
1320         ret = vnc_client_read_sasl(vs);
1321     else
1322 #endif /* CONFIG_VNC_SASL */
1323 #ifdef CONFIG_VNC_WS
1324         if (vs->encode_ws) {
1325             ret = vnc_client_read_ws(vs);
1326             if (ret == -1) {
1327                 vnc_disconnect_start(vs);
1328                 return;
1329             } else if (ret == -2) {
1330                 vnc_client_error(vs);
1331                 return;
1332             }
1333         } else
1334 #endif /* CONFIG_VNC_WS */
1335         {
1336         ret = vnc_client_read_plain(vs);
1337         }
1338     if (!ret) {
1339         if (vs->csock == -1)
1340             vnc_disconnect_finish(vs);
1341         return;
1342     }
1343 
1344     while (vs->read_handler && vs->input.offset >= vs->read_handler_expect) {
1345         size_t len = vs->read_handler_expect;
1346         int ret;
1347 
1348         ret = vs->read_handler(vs, vs->input.buffer, len);
1349         if (vs->csock == -1) {
1350             vnc_disconnect_finish(vs);
1351             return;
1352         }
1353 
1354         if (!ret) {
1355             buffer_advance(&vs->input, len);
1356         } else {
1357             vs->read_handler_expect = ret;
1358         }
1359     }
1360 }
1361 
1362 void vnc_write(VncState *vs, const void *data, size_t len)
1363 {
1364     buffer_reserve(&vs->output, len);
1365 
1366     if (vs->csock != -1 && buffer_empty(&vs->output)) {
1367         qemu_set_fd_handler2(vs->csock, NULL, vnc_client_read, vnc_client_write, vs);
1368     }
1369 
1370     buffer_append(&vs->output, data, len);
1371 }
1372 
1373 void vnc_write_s32(VncState *vs, int32_t value)
1374 {
1375     vnc_write_u32(vs, *(uint32_t *)&value);
1376 }
1377 
1378 void vnc_write_u32(VncState *vs, uint32_t value)
1379 {
1380     uint8_t buf[4];
1381 
1382     buf[0] = (value >> 24) & 0xFF;
1383     buf[1] = (value >> 16) & 0xFF;
1384     buf[2] = (value >>  8) & 0xFF;
1385     buf[3] = value & 0xFF;
1386 
1387     vnc_write(vs, buf, 4);
1388 }
1389 
1390 void vnc_write_u16(VncState *vs, uint16_t value)
1391 {
1392     uint8_t buf[2];
1393 
1394     buf[0] = (value >> 8) & 0xFF;
1395     buf[1] = value & 0xFF;
1396 
1397     vnc_write(vs, buf, 2);
1398 }
1399 
1400 void vnc_write_u8(VncState *vs, uint8_t value)
1401 {
1402     vnc_write(vs, (char *)&value, 1);
1403 }
1404 
1405 void vnc_flush(VncState *vs)
1406 {
1407     vnc_lock_output(vs);
1408     if (vs->csock != -1 && (vs->output.offset
1409 #ifdef CONFIG_VNC_WS
1410                 || vs->ws_output.offset
1411 #endif
1412                 )) {
1413         vnc_client_write_locked(vs);
1414     }
1415     vnc_unlock_output(vs);
1416 }
1417 
1418 static uint8_t read_u8(uint8_t *data, size_t offset)
1419 {
1420     return data[offset];
1421 }
1422 
1423 static uint16_t read_u16(uint8_t *data, size_t offset)
1424 {
1425     return ((data[offset] & 0xFF) << 8) | (data[offset + 1] & 0xFF);
1426 }
1427 
1428 static int32_t read_s32(uint8_t *data, size_t offset)
1429 {
1430     return (int32_t)((data[offset] << 24) | (data[offset + 1] << 16) |
1431                      (data[offset + 2] << 8) | data[offset + 3]);
1432 }
1433 
1434 uint32_t read_u32(uint8_t *data, size_t offset)
1435 {
1436     return ((data[offset] << 24) | (data[offset + 1] << 16) |
1437             (data[offset + 2] << 8) | data[offset + 3]);
1438 }
1439 
1440 static void client_cut_text(VncState *vs, size_t len, uint8_t *text)
1441 {
1442 }
1443 
1444 static void check_pointer_type_change(Notifier *notifier, void *data)
1445 {
1446     VncState *vs = container_of(notifier, VncState, mouse_mode_notifier);
1447     int absolute = kbd_mouse_is_absolute();
1448 
1449     if (vnc_has_feature(vs, VNC_FEATURE_POINTER_TYPE_CHANGE) && vs->absolute != absolute) {
1450         vnc_lock_output(vs);
1451         vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1452         vnc_write_u8(vs, 0);
1453         vnc_write_u16(vs, 1);
1454         vnc_framebuffer_update(vs, absolute, 0,
1455                                surface_width(vs->vd->ds),
1456                                surface_height(vs->vd->ds),
1457                                VNC_ENCODING_POINTER_TYPE_CHANGE);
1458         vnc_unlock_output(vs);
1459         vnc_flush(vs);
1460     }
1461     vs->absolute = absolute;
1462 }
1463 
1464 static void pointer_event(VncState *vs, int button_mask, int x, int y)
1465 {
1466     int buttons = 0;
1467     int dz = 0;
1468     int width = surface_width(vs->vd->ds);
1469     int height = surface_height(vs->vd->ds);
1470 
1471     if (button_mask & 0x01)
1472         buttons |= MOUSE_EVENT_LBUTTON;
1473     if (button_mask & 0x02)
1474         buttons |= MOUSE_EVENT_MBUTTON;
1475     if (button_mask & 0x04)
1476         buttons |= MOUSE_EVENT_RBUTTON;
1477     if (button_mask & 0x08)
1478         dz = -1;
1479     if (button_mask & 0x10)
1480         dz = 1;
1481 
1482     if (vs->absolute) {
1483         kbd_mouse_event(width  > 1 ? x * 0x7FFF / (width  - 1) : 0x4000,
1484                         height > 1 ? y * 0x7FFF / (height - 1) : 0x4000,
1485                         dz, buttons);
1486     } else if (vnc_has_feature(vs, VNC_FEATURE_POINTER_TYPE_CHANGE)) {
1487         x -= 0x7FFF;
1488         y -= 0x7FFF;
1489 
1490         kbd_mouse_event(x, y, dz, buttons);
1491     } else {
1492         if (vs->last_x != -1)
1493             kbd_mouse_event(x - vs->last_x,
1494                             y - vs->last_y,
1495                             dz, buttons);
1496         vs->last_x = x;
1497         vs->last_y = y;
1498     }
1499 }
1500 
1501 static void reset_keys(VncState *vs)
1502 {
1503     int i;
1504     for(i = 0; i < 256; i++) {
1505         if (vs->modifiers_state[i]) {
1506             if (i & SCANCODE_GREY)
1507                 kbd_put_keycode(SCANCODE_EMUL0);
1508             kbd_put_keycode(i | SCANCODE_UP);
1509             vs->modifiers_state[i] = 0;
1510         }
1511     }
1512 }
1513 
1514 static void press_key(VncState *vs, int keysym)
1515 {
1516     int keycode = keysym2scancode(vs->vd->kbd_layout, keysym) & SCANCODE_KEYMASK;
1517     if (keycode & SCANCODE_GREY)
1518         kbd_put_keycode(SCANCODE_EMUL0);
1519     kbd_put_keycode(keycode & SCANCODE_KEYCODEMASK);
1520     if (keycode & SCANCODE_GREY)
1521         kbd_put_keycode(SCANCODE_EMUL0);
1522     kbd_put_keycode(keycode | SCANCODE_UP);
1523 }
1524 
1525 static void kbd_leds(void *opaque, int ledstate)
1526 {
1527     VncState *vs = opaque;
1528     int caps, num;
1529 
1530     caps = ledstate & QEMU_CAPS_LOCK_LED ? 1 : 0;
1531     num  = ledstate & QEMU_NUM_LOCK_LED  ? 1 : 0;
1532 
1533     if (vs->modifiers_state[0x3a] != caps) {
1534         vs->modifiers_state[0x3a] = caps;
1535     }
1536     if (vs->modifiers_state[0x45] != num) {
1537         vs->modifiers_state[0x45] = num;
1538     }
1539 }
1540 
1541 static void do_key_event(VncState *vs, int down, int keycode, int sym)
1542 {
1543     /* QEMU console switch */
1544     switch(keycode) {
1545     case 0x2a:                          /* Left Shift */
1546     case 0x36:                          /* Right Shift */
1547     case 0x1d:                          /* Left CTRL */
1548     case 0x9d:                          /* Right CTRL */
1549     case 0x38:                          /* Left ALT */
1550     case 0xb8:                          /* Right ALT */
1551         if (down)
1552             vs->modifiers_state[keycode] = 1;
1553         else
1554             vs->modifiers_state[keycode] = 0;
1555         break;
1556     case 0x02 ... 0x0a: /* '1' to '9' keys */
1557         if (down && vs->modifiers_state[0x1d] && vs->modifiers_state[0x38]) {
1558             /* Reset the modifiers sent to the current console */
1559             reset_keys(vs);
1560             console_select(keycode - 0x02);
1561             return;
1562         }
1563         break;
1564     case 0x3a:                        /* CapsLock */
1565     case 0x45:                        /* NumLock */
1566         if (down)
1567             vs->modifiers_state[keycode] ^= 1;
1568         break;
1569     }
1570 
1571     if (down && vs->vd->lock_key_sync &&
1572         keycode_is_keypad(vs->vd->kbd_layout, keycode)) {
1573         /* If the numlock state needs to change then simulate an additional
1574            keypress before sending this one.  This will happen if the user
1575            toggles numlock away from the VNC window.
1576         */
1577         if (keysym_is_numlock(vs->vd->kbd_layout, sym & 0xFFFF)) {
1578             if (!vs->modifiers_state[0x45]) {
1579                 vs->modifiers_state[0x45] = 1;
1580                 press_key(vs, 0xff7f);
1581             }
1582         } else {
1583             if (vs->modifiers_state[0x45]) {
1584                 vs->modifiers_state[0x45] = 0;
1585                 press_key(vs, 0xff7f);
1586             }
1587         }
1588     }
1589 
1590     if (down && vs->vd->lock_key_sync &&
1591         ((sym >= 'A' && sym <= 'Z') || (sym >= 'a' && sym <= 'z'))) {
1592         /* If the capslock state needs to change then simulate an additional
1593            keypress before sending this one.  This will happen if the user
1594            toggles capslock away from the VNC window.
1595         */
1596         int uppercase = !!(sym >= 'A' && sym <= 'Z');
1597         int shift = !!(vs->modifiers_state[0x2a] | vs->modifiers_state[0x36]);
1598         int capslock = !!(vs->modifiers_state[0x3a]);
1599         if (capslock) {
1600             if (uppercase == shift) {
1601                 vs->modifiers_state[0x3a] = 0;
1602                 press_key(vs, 0xffe5);
1603             }
1604         } else {
1605             if (uppercase != shift) {
1606                 vs->modifiers_state[0x3a] = 1;
1607                 press_key(vs, 0xffe5);
1608             }
1609         }
1610     }
1611 
1612     if (qemu_console_is_graphic(NULL)) {
1613         if (keycode & SCANCODE_GREY)
1614             kbd_put_keycode(SCANCODE_EMUL0);
1615         if (down)
1616             kbd_put_keycode(keycode & SCANCODE_KEYCODEMASK);
1617         else
1618             kbd_put_keycode(keycode | SCANCODE_UP);
1619     } else {
1620         bool numlock = vs->modifiers_state[0x45];
1621         bool control = (vs->modifiers_state[0x1d] ||
1622                         vs->modifiers_state[0x9d]);
1623         /* QEMU console emulation */
1624         if (down) {
1625             switch (keycode) {
1626             case 0x2a:                          /* Left Shift */
1627             case 0x36:                          /* Right Shift */
1628             case 0x1d:                          /* Left CTRL */
1629             case 0x9d:                          /* Right CTRL */
1630             case 0x38:                          /* Left ALT */
1631             case 0xb8:                          /* Right ALT */
1632                 break;
1633             case 0xc8:
1634                 kbd_put_keysym(QEMU_KEY_UP);
1635                 break;
1636             case 0xd0:
1637                 kbd_put_keysym(QEMU_KEY_DOWN);
1638                 break;
1639             case 0xcb:
1640                 kbd_put_keysym(QEMU_KEY_LEFT);
1641                 break;
1642             case 0xcd:
1643                 kbd_put_keysym(QEMU_KEY_RIGHT);
1644                 break;
1645             case 0xd3:
1646                 kbd_put_keysym(QEMU_KEY_DELETE);
1647                 break;
1648             case 0xc7:
1649                 kbd_put_keysym(QEMU_KEY_HOME);
1650                 break;
1651             case 0xcf:
1652                 kbd_put_keysym(QEMU_KEY_END);
1653                 break;
1654             case 0xc9:
1655                 kbd_put_keysym(QEMU_KEY_PAGEUP);
1656                 break;
1657             case 0xd1:
1658                 kbd_put_keysym(QEMU_KEY_PAGEDOWN);
1659                 break;
1660 
1661             case 0x47:
1662                 kbd_put_keysym(numlock ? '7' : QEMU_KEY_HOME);
1663                 break;
1664             case 0x48:
1665                 kbd_put_keysym(numlock ? '8' : QEMU_KEY_UP);
1666                 break;
1667             case 0x49:
1668                 kbd_put_keysym(numlock ? '9' : QEMU_KEY_PAGEUP);
1669                 break;
1670             case 0x4b:
1671                 kbd_put_keysym(numlock ? '4' : QEMU_KEY_LEFT);
1672                 break;
1673             case 0x4c:
1674                 kbd_put_keysym('5');
1675                 break;
1676             case 0x4d:
1677                 kbd_put_keysym(numlock ? '6' : QEMU_KEY_RIGHT);
1678                 break;
1679             case 0x4f:
1680                 kbd_put_keysym(numlock ? '1' : QEMU_KEY_END);
1681                 break;
1682             case 0x50:
1683                 kbd_put_keysym(numlock ? '2' : QEMU_KEY_DOWN);
1684                 break;
1685             case 0x51:
1686                 kbd_put_keysym(numlock ? '3' : QEMU_KEY_PAGEDOWN);
1687                 break;
1688             case 0x52:
1689                 kbd_put_keysym('0');
1690                 break;
1691             case 0x53:
1692                 kbd_put_keysym(numlock ? '.' : QEMU_KEY_DELETE);
1693                 break;
1694 
1695             case 0xb5:
1696                 kbd_put_keysym('/');
1697                 break;
1698             case 0x37:
1699                 kbd_put_keysym('*');
1700                 break;
1701             case 0x4a:
1702                 kbd_put_keysym('-');
1703                 break;
1704             case 0x4e:
1705                 kbd_put_keysym('+');
1706                 break;
1707             case 0x9c:
1708                 kbd_put_keysym('\n');
1709                 break;
1710 
1711             default:
1712                 if (control) {
1713                     kbd_put_keysym(sym & 0x1f);
1714                 } else {
1715                     kbd_put_keysym(sym);
1716                 }
1717                 break;
1718             }
1719         }
1720     }
1721 }
1722 
1723 static void vnc_release_modifiers(VncState *vs)
1724 {
1725     static const int keycodes[] = {
1726         /* shift, control, alt keys, both left & right */
1727         0x2a, 0x36, 0x1d, 0x9d, 0x38, 0xb8,
1728     };
1729     int i, keycode;
1730 
1731     if (!qemu_console_is_graphic(NULL)) {
1732         return;
1733     }
1734     for (i = 0; i < ARRAY_SIZE(keycodes); i++) {
1735         keycode = keycodes[i];
1736         if (!vs->modifiers_state[keycode]) {
1737             continue;
1738         }
1739         if (keycode & SCANCODE_GREY) {
1740             kbd_put_keycode(SCANCODE_EMUL0);
1741         }
1742         kbd_put_keycode(keycode | SCANCODE_UP);
1743     }
1744 }
1745 
1746 static void key_event(VncState *vs, int down, uint32_t sym)
1747 {
1748     int keycode;
1749     int lsym = sym;
1750 
1751     if (lsym >= 'A' && lsym <= 'Z' && qemu_console_is_graphic(NULL)) {
1752         lsym = lsym - 'A' + 'a';
1753     }
1754 
1755     keycode = keysym2scancode(vs->vd->kbd_layout, lsym & 0xFFFF) & SCANCODE_KEYMASK;
1756     do_key_event(vs, down, keycode, sym);
1757 }
1758 
1759 static void ext_key_event(VncState *vs, int down,
1760                           uint32_t sym, uint16_t keycode)
1761 {
1762     /* if the user specifies a keyboard layout, always use it */
1763     if (keyboard_layout)
1764         key_event(vs, down, sym);
1765     else
1766         do_key_event(vs, down, keycode, sym);
1767 }
1768 
1769 static void framebuffer_update_request(VncState *vs, int incremental,
1770                                        int x_position, int y_position,
1771                                        int w, int h)
1772 {
1773     int i;
1774     const size_t width = surface_width(vs->vd->ds) / 16;
1775     const size_t height = surface_height(vs->vd->ds);
1776 
1777     if (y_position > height) {
1778         y_position = height;
1779     }
1780     if (y_position + h >= height) {
1781         h = height - y_position;
1782     }
1783 
1784     vs->need_update = 1;
1785     if (!incremental) {
1786         vs->force_update = 1;
1787         for (i = 0; i < h; i++) {
1788             bitmap_set(vs->dirty[y_position + i], 0, width);
1789             bitmap_clear(vs->dirty[y_position + i], width,
1790                          VNC_DIRTY_BITS - width);
1791         }
1792     }
1793 }
1794 
1795 static void send_ext_key_event_ack(VncState *vs)
1796 {
1797     vnc_lock_output(vs);
1798     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1799     vnc_write_u8(vs, 0);
1800     vnc_write_u16(vs, 1);
1801     vnc_framebuffer_update(vs, 0, 0,
1802                            surface_width(vs->vd->ds),
1803                            surface_height(vs->vd->ds),
1804                            VNC_ENCODING_EXT_KEY_EVENT);
1805     vnc_unlock_output(vs);
1806     vnc_flush(vs);
1807 }
1808 
1809 static void send_ext_audio_ack(VncState *vs)
1810 {
1811     vnc_lock_output(vs);
1812     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1813     vnc_write_u8(vs, 0);
1814     vnc_write_u16(vs, 1);
1815     vnc_framebuffer_update(vs, 0, 0,
1816                            surface_width(vs->vd->ds),
1817                            surface_height(vs->vd->ds),
1818                            VNC_ENCODING_AUDIO);
1819     vnc_unlock_output(vs);
1820     vnc_flush(vs);
1821 }
1822 
1823 static void set_encodings(VncState *vs, int32_t *encodings, size_t n_encodings)
1824 {
1825     int i;
1826     unsigned int enc = 0;
1827 
1828     vs->features = 0;
1829     vs->vnc_encoding = 0;
1830     vs->tight.compression = 9;
1831     vs->tight.quality = -1; /* Lossless by default */
1832     vs->absolute = -1;
1833 
1834     /*
1835      * Start from the end because the encodings are sent in order of preference.
1836      * This way the preferred encoding (first encoding defined in the array)
1837      * will be set at the end of the loop.
1838      */
1839     for (i = n_encodings - 1; i >= 0; i--) {
1840         enc = encodings[i];
1841         switch (enc) {
1842         case VNC_ENCODING_RAW:
1843             vs->vnc_encoding = enc;
1844             break;
1845         case VNC_ENCODING_COPYRECT:
1846             vs->features |= VNC_FEATURE_COPYRECT_MASK;
1847             break;
1848         case VNC_ENCODING_HEXTILE:
1849             vs->features |= VNC_FEATURE_HEXTILE_MASK;
1850             vs->vnc_encoding = enc;
1851             break;
1852         case VNC_ENCODING_TIGHT:
1853             vs->features |= VNC_FEATURE_TIGHT_MASK;
1854             vs->vnc_encoding = enc;
1855             break;
1856 #ifdef CONFIG_VNC_PNG
1857         case VNC_ENCODING_TIGHT_PNG:
1858             vs->features |= VNC_FEATURE_TIGHT_PNG_MASK;
1859             vs->vnc_encoding = enc;
1860             break;
1861 #endif
1862         case VNC_ENCODING_ZLIB:
1863             vs->features |= VNC_FEATURE_ZLIB_MASK;
1864             vs->vnc_encoding = enc;
1865             break;
1866         case VNC_ENCODING_ZRLE:
1867             vs->features |= VNC_FEATURE_ZRLE_MASK;
1868             vs->vnc_encoding = enc;
1869             break;
1870         case VNC_ENCODING_ZYWRLE:
1871             vs->features |= VNC_FEATURE_ZYWRLE_MASK;
1872             vs->vnc_encoding = enc;
1873             break;
1874         case VNC_ENCODING_DESKTOPRESIZE:
1875             vs->features |= VNC_FEATURE_RESIZE_MASK;
1876             break;
1877         case VNC_ENCODING_POINTER_TYPE_CHANGE:
1878             vs->features |= VNC_FEATURE_POINTER_TYPE_CHANGE_MASK;
1879             break;
1880         case VNC_ENCODING_RICH_CURSOR:
1881             vs->features |= VNC_FEATURE_RICH_CURSOR_MASK;
1882             break;
1883         case VNC_ENCODING_EXT_KEY_EVENT:
1884             send_ext_key_event_ack(vs);
1885             break;
1886         case VNC_ENCODING_AUDIO:
1887             send_ext_audio_ack(vs);
1888             break;
1889         case VNC_ENCODING_WMVi:
1890             vs->features |= VNC_FEATURE_WMVI_MASK;
1891             break;
1892         case VNC_ENCODING_COMPRESSLEVEL0 ... VNC_ENCODING_COMPRESSLEVEL0 + 9:
1893             vs->tight.compression = (enc & 0x0F);
1894             break;
1895         case VNC_ENCODING_QUALITYLEVEL0 ... VNC_ENCODING_QUALITYLEVEL0 + 9:
1896             if (vs->vd->lossy) {
1897                 vs->tight.quality = (enc & 0x0F);
1898             }
1899             break;
1900         default:
1901             VNC_DEBUG("Unknown encoding: %d (0x%.8x): %d\n", i, enc, enc);
1902             break;
1903         }
1904     }
1905     vnc_desktop_resize(vs);
1906     check_pointer_type_change(&vs->mouse_mode_notifier, NULL);
1907 }
1908 
1909 static void set_pixel_conversion(VncState *vs)
1910 {
1911     pixman_format_code_t fmt = qemu_pixman_get_format(&vs->client_pf);
1912 
1913     if (fmt == VNC_SERVER_FB_FORMAT) {
1914         vs->write_pixels = vnc_write_pixels_copy;
1915         vnc_hextile_set_pixel_conversion(vs, 0);
1916     } else {
1917         vs->write_pixels = vnc_write_pixels_generic;
1918         vnc_hextile_set_pixel_conversion(vs, 1);
1919     }
1920 }
1921 
1922 static void set_pixel_format(VncState *vs,
1923                              int bits_per_pixel, int depth,
1924                              int big_endian_flag, int true_color_flag,
1925                              int red_max, int green_max, int blue_max,
1926                              int red_shift, int green_shift, int blue_shift)
1927 {
1928     if (!true_color_flag) {
1929         vnc_client_error(vs);
1930         return;
1931     }
1932 
1933     vs->client_pf.rmax = red_max;
1934     vs->client_pf.rbits = hweight_long(red_max);
1935     vs->client_pf.rshift = red_shift;
1936     vs->client_pf.rmask = red_max << red_shift;
1937     vs->client_pf.gmax = green_max;
1938     vs->client_pf.gbits = hweight_long(green_max);
1939     vs->client_pf.gshift = green_shift;
1940     vs->client_pf.gmask = green_max << green_shift;
1941     vs->client_pf.bmax = blue_max;
1942     vs->client_pf.bbits = hweight_long(blue_max);
1943     vs->client_pf.bshift = blue_shift;
1944     vs->client_pf.bmask = blue_max << blue_shift;
1945     vs->client_pf.bits_per_pixel = bits_per_pixel;
1946     vs->client_pf.bytes_per_pixel = bits_per_pixel / 8;
1947     vs->client_pf.depth = bits_per_pixel == 32 ? 24 : bits_per_pixel;
1948     vs->client_be = big_endian_flag;
1949 
1950     set_pixel_conversion(vs);
1951 
1952     graphic_hw_invalidate(NULL);
1953     graphic_hw_update(NULL);
1954 }
1955 
1956 static void pixel_format_message (VncState *vs) {
1957     char pad[3] = { 0, 0, 0 };
1958 
1959     vs->client_pf = qemu_default_pixelformat(32);
1960 
1961     vnc_write_u8(vs, vs->client_pf.bits_per_pixel); /* bits-per-pixel */
1962     vnc_write_u8(vs, vs->client_pf.depth); /* depth */
1963 
1964 #ifdef HOST_WORDS_BIGENDIAN
1965     vnc_write_u8(vs, 1);             /* big-endian-flag */
1966 #else
1967     vnc_write_u8(vs, 0);             /* big-endian-flag */
1968 #endif
1969     vnc_write_u8(vs, 1);             /* true-color-flag */
1970     vnc_write_u16(vs, vs->client_pf.rmax);     /* red-max */
1971     vnc_write_u16(vs, vs->client_pf.gmax);     /* green-max */
1972     vnc_write_u16(vs, vs->client_pf.bmax);     /* blue-max */
1973     vnc_write_u8(vs, vs->client_pf.rshift);    /* red-shift */
1974     vnc_write_u8(vs, vs->client_pf.gshift);    /* green-shift */
1975     vnc_write_u8(vs, vs->client_pf.bshift);    /* blue-shift */
1976     vnc_write(vs, pad, 3);           /* padding */
1977 
1978     vnc_hextile_set_pixel_conversion(vs, 0);
1979     vs->write_pixels = vnc_write_pixels_copy;
1980 }
1981 
1982 static void vnc_colordepth(VncState *vs)
1983 {
1984     if (vnc_has_feature(vs, VNC_FEATURE_WMVI)) {
1985         /* Sending a WMVi message to notify the client*/
1986         vnc_lock_output(vs);
1987         vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1988         vnc_write_u8(vs, 0);
1989         vnc_write_u16(vs, 1); /* number of rects */
1990         vnc_framebuffer_update(vs, 0, 0,
1991                                surface_width(vs->vd->ds),
1992                                surface_height(vs->vd->ds),
1993                                VNC_ENCODING_WMVi);
1994         pixel_format_message(vs);
1995         vnc_unlock_output(vs);
1996         vnc_flush(vs);
1997     } else {
1998         set_pixel_conversion(vs);
1999     }
2000 }
2001 
2002 static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len)
2003 {
2004     int i;
2005     uint16_t limit;
2006     VncDisplay *vd = vs->vd;
2007 
2008     if (data[0] > 3) {
2009         update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
2010     }
2011 
2012     switch (data[0]) {
2013     case VNC_MSG_CLIENT_SET_PIXEL_FORMAT:
2014         if (len == 1)
2015             return 20;
2016 
2017         set_pixel_format(vs, read_u8(data, 4), read_u8(data, 5),
2018                          read_u8(data, 6), read_u8(data, 7),
2019                          read_u16(data, 8), read_u16(data, 10),
2020                          read_u16(data, 12), read_u8(data, 14),
2021                          read_u8(data, 15), read_u8(data, 16));
2022         break;
2023     case VNC_MSG_CLIENT_SET_ENCODINGS:
2024         if (len == 1)
2025             return 4;
2026 
2027         if (len == 4) {
2028             limit = read_u16(data, 2);
2029             if (limit > 0)
2030                 return 4 + (limit * 4);
2031         } else
2032             limit = read_u16(data, 2);
2033 
2034         for (i = 0; i < limit; i++) {
2035             int32_t val = read_s32(data, 4 + (i * 4));
2036             memcpy(data + 4 + (i * 4), &val, sizeof(val));
2037         }
2038 
2039         set_encodings(vs, (int32_t *)(data + 4), limit);
2040         break;
2041     case VNC_MSG_CLIENT_FRAMEBUFFER_UPDATE_REQUEST:
2042         if (len == 1)
2043             return 10;
2044 
2045         framebuffer_update_request(vs,
2046                                    read_u8(data, 1), read_u16(data, 2), read_u16(data, 4),
2047                                    read_u16(data, 6), read_u16(data, 8));
2048         break;
2049     case VNC_MSG_CLIENT_KEY_EVENT:
2050         if (len == 1)
2051             return 8;
2052 
2053         key_event(vs, read_u8(data, 1), read_u32(data, 4));
2054         break;
2055     case VNC_MSG_CLIENT_POINTER_EVENT:
2056         if (len == 1)
2057             return 6;
2058 
2059         pointer_event(vs, read_u8(data, 1), read_u16(data, 2), read_u16(data, 4));
2060         break;
2061     case VNC_MSG_CLIENT_CUT_TEXT:
2062         if (len == 1)
2063             return 8;
2064 
2065         if (len == 8) {
2066             uint32_t dlen = read_u32(data, 4);
2067             if (dlen > 0)
2068                 return 8 + dlen;
2069         }
2070 
2071         client_cut_text(vs, read_u32(data, 4), data + 8);
2072         break;
2073     case VNC_MSG_CLIENT_QEMU:
2074         if (len == 1)
2075             return 2;
2076 
2077         switch (read_u8(data, 1)) {
2078         case VNC_MSG_CLIENT_QEMU_EXT_KEY_EVENT:
2079             if (len == 2)
2080                 return 12;
2081 
2082             ext_key_event(vs, read_u16(data, 2),
2083                           read_u32(data, 4), read_u32(data, 8));
2084             break;
2085         case VNC_MSG_CLIENT_QEMU_AUDIO:
2086             if (len == 2)
2087                 return 4;
2088 
2089             switch (read_u16 (data, 2)) {
2090             case VNC_MSG_CLIENT_QEMU_AUDIO_ENABLE:
2091                 audio_add(vs);
2092                 break;
2093             case VNC_MSG_CLIENT_QEMU_AUDIO_DISABLE:
2094                 audio_del(vs);
2095                 break;
2096             case VNC_MSG_CLIENT_QEMU_AUDIO_SET_FORMAT:
2097                 if (len == 4)
2098                     return 10;
2099                 switch (read_u8(data, 4)) {
2100                 case 0: vs->as.fmt = AUD_FMT_U8; break;
2101                 case 1: vs->as.fmt = AUD_FMT_S8; break;
2102                 case 2: vs->as.fmt = AUD_FMT_U16; break;
2103                 case 3: vs->as.fmt = AUD_FMT_S16; break;
2104                 case 4: vs->as.fmt = AUD_FMT_U32; break;
2105                 case 5: vs->as.fmt = AUD_FMT_S32; break;
2106                 default:
2107                     printf("Invalid audio format %d\n", read_u8(data, 4));
2108                     vnc_client_error(vs);
2109                     break;
2110                 }
2111                 vs->as.nchannels = read_u8(data, 5);
2112                 if (vs->as.nchannels != 1 && vs->as.nchannels != 2) {
2113                     printf("Invalid audio channel coount %d\n",
2114                            read_u8(data, 5));
2115                     vnc_client_error(vs);
2116                     break;
2117                 }
2118                 vs->as.freq = read_u32(data, 6);
2119                 break;
2120             default:
2121                 printf ("Invalid audio message %d\n", read_u8(data, 4));
2122                 vnc_client_error(vs);
2123                 break;
2124             }
2125             break;
2126 
2127         default:
2128             printf("Msg: %d\n", read_u16(data, 0));
2129             vnc_client_error(vs);
2130             break;
2131         }
2132         break;
2133     default:
2134         printf("Msg: %d\n", data[0]);
2135         vnc_client_error(vs);
2136         break;
2137     }
2138 
2139     vnc_read_when(vs, protocol_client_msg, 1);
2140     return 0;
2141 }
2142 
2143 static int protocol_client_init(VncState *vs, uint8_t *data, size_t len)
2144 {
2145     char buf[1024];
2146     VncShareMode mode;
2147     int size;
2148 
2149     mode = data[0] ? VNC_SHARE_MODE_SHARED : VNC_SHARE_MODE_EXCLUSIVE;
2150     switch (vs->vd->share_policy) {
2151     case VNC_SHARE_POLICY_IGNORE:
2152         /*
2153          * Ignore the shared flag.  Nothing to do here.
2154          *
2155          * Doesn't conform to the rfb spec but is traditional qemu
2156          * behavior, thus left here as option for compatibility
2157          * reasons.
2158          */
2159         break;
2160     case VNC_SHARE_POLICY_ALLOW_EXCLUSIVE:
2161         /*
2162          * Policy: Allow clients ask for exclusive access.
2163          *
2164          * Implementation: When a client asks for exclusive access,
2165          * disconnect all others. Shared connects are allowed as long
2166          * as no exclusive connection exists.
2167          *
2168          * This is how the rfb spec suggests to handle the shared flag.
2169          */
2170         if (mode == VNC_SHARE_MODE_EXCLUSIVE) {
2171             VncState *client;
2172             QTAILQ_FOREACH(client, &vs->vd->clients, next) {
2173                 if (vs == client) {
2174                     continue;
2175                 }
2176                 if (client->share_mode != VNC_SHARE_MODE_EXCLUSIVE &&
2177                     client->share_mode != VNC_SHARE_MODE_SHARED) {
2178                     continue;
2179                 }
2180                 vnc_disconnect_start(client);
2181             }
2182         }
2183         if (mode == VNC_SHARE_MODE_SHARED) {
2184             if (vs->vd->num_exclusive > 0) {
2185                 vnc_disconnect_start(vs);
2186                 return 0;
2187             }
2188         }
2189         break;
2190     case VNC_SHARE_POLICY_FORCE_SHARED:
2191         /*
2192          * Policy: Shared connects only.
2193          * Implementation: Disallow clients asking for exclusive access.
2194          *
2195          * Useful for shared desktop sessions where you don't want
2196          * someone forgetting to say -shared when running the vnc
2197          * client disconnect everybody else.
2198          */
2199         if (mode == VNC_SHARE_MODE_EXCLUSIVE) {
2200             vnc_disconnect_start(vs);
2201             return 0;
2202         }
2203         break;
2204     }
2205     vnc_set_share_mode(vs, mode);
2206 
2207     vs->client_width = surface_width(vs->vd->ds);
2208     vs->client_height = surface_height(vs->vd->ds);
2209     vnc_write_u16(vs, vs->client_width);
2210     vnc_write_u16(vs, vs->client_height);
2211 
2212     pixel_format_message(vs);
2213 
2214     if (qemu_name)
2215         size = snprintf(buf, sizeof(buf), "QEMU (%s)", qemu_name);
2216     else
2217         size = snprintf(buf, sizeof(buf), "QEMU");
2218 
2219     vnc_write_u32(vs, size);
2220     vnc_write(vs, buf, size);
2221     vnc_flush(vs);
2222 
2223     vnc_client_cache_auth(vs);
2224     vnc_qmp_event(vs, QEVENT_VNC_INITIALIZED);
2225 
2226     vnc_read_when(vs, protocol_client_msg, 1);
2227 
2228     return 0;
2229 }
2230 
2231 void start_client_init(VncState *vs)
2232 {
2233     vnc_read_when(vs, protocol_client_init, 1);
2234 }
2235 
2236 static void make_challenge(VncState *vs)
2237 {
2238     int i;
2239 
2240     srand(time(NULL)+getpid()+getpid()*987654+rand());
2241 
2242     for (i = 0 ; i < sizeof(vs->challenge) ; i++)
2243         vs->challenge[i] = (int) (256.0*rand()/(RAND_MAX+1.0));
2244 }
2245 
2246 static int protocol_client_auth_vnc(VncState *vs, uint8_t *data, size_t len)
2247 {
2248     unsigned char response[VNC_AUTH_CHALLENGE_SIZE];
2249     int i, j, pwlen;
2250     unsigned char key[8];
2251     time_t now = time(NULL);
2252 
2253     if (!vs->vd->password) {
2254         VNC_DEBUG("No password configured on server");
2255         goto reject;
2256     }
2257     if (vs->vd->expires < now) {
2258         VNC_DEBUG("Password is expired");
2259         goto reject;
2260     }
2261 
2262     memcpy(response, vs->challenge, VNC_AUTH_CHALLENGE_SIZE);
2263 
2264     /* Calculate the expected challenge response */
2265     pwlen = strlen(vs->vd->password);
2266     for (i=0; i<sizeof(key); i++)
2267         key[i] = i<pwlen ? vs->vd->password[i] : 0;
2268     deskey(key, EN0);
2269     for (j = 0; j < VNC_AUTH_CHALLENGE_SIZE; j += 8)
2270         des(response+j, response+j);
2271 
2272     /* Compare expected vs actual challenge response */
2273     if (memcmp(response, data, VNC_AUTH_CHALLENGE_SIZE) != 0) {
2274         VNC_DEBUG("Client challenge response did not match\n");
2275         goto reject;
2276     } else {
2277         VNC_DEBUG("Accepting VNC challenge response\n");
2278         vnc_write_u32(vs, 0); /* Accept auth */
2279         vnc_flush(vs);
2280 
2281         start_client_init(vs);
2282     }
2283     return 0;
2284 
2285 reject:
2286     vnc_write_u32(vs, 1); /* Reject auth */
2287     if (vs->minor >= 8) {
2288         static const char err[] = "Authentication failed";
2289         vnc_write_u32(vs, sizeof(err));
2290         vnc_write(vs, err, sizeof(err));
2291     }
2292     vnc_flush(vs);
2293     vnc_client_error(vs);
2294     return 0;
2295 }
2296 
2297 void start_auth_vnc(VncState *vs)
2298 {
2299     make_challenge(vs);
2300     /* Send client a 'random' challenge */
2301     vnc_write(vs, vs->challenge, sizeof(vs->challenge));
2302     vnc_flush(vs);
2303 
2304     vnc_read_when(vs, protocol_client_auth_vnc, sizeof(vs->challenge));
2305 }
2306 
2307 
2308 static int protocol_client_auth(VncState *vs, uint8_t *data, size_t len)
2309 {
2310     /* We only advertise 1 auth scheme at a time, so client
2311      * must pick the one we sent. Verify this */
2312     if (data[0] != vs->auth) { /* Reject auth */
2313        VNC_DEBUG("Reject auth %d because it didn't match advertized\n", (int)data[0]);
2314        vnc_write_u32(vs, 1);
2315        if (vs->minor >= 8) {
2316            static const char err[] = "Authentication failed";
2317            vnc_write_u32(vs, sizeof(err));
2318            vnc_write(vs, err, sizeof(err));
2319        }
2320        vnc_client_error(vs);
2321     } else { /* Accept requested auth */
2322        VNC_DEBUG("Client requested auth %d\n", (int)data[0]);
2323        switch (vs->auth) {
2324        case VNC_AUTH_NONE:
2325            VNC_DEBUG("Accept auth none\n");
2326            if (vs->minor >= 8) {
2327                vnc_write_u32(vs, 0); /* Accept auth completion */
2328                vnc_flush(vs);
2329            }
2330            start_client_init(vs);
2331            break;
2332 
2333        case VNC_AUTH_VNC:
2334            VNC_DEBUG("Start VNC auth\n");
2335            start_auth_vnc(vs);
2336            break;
2337 
2338 #ifdef CONFIG_VNC_TLS
2339        case VNC_AUTH_VENCRYPT:
2340            VNC_DEBUG("Accept VeNCrypt auth\n");
2341            start_auth_vencrypt(vs);
2342            break;
2343 #endif /* CONFIG_VNC_TLS */
2344 
2345 #ifdef CONFIG_VNC_SASL
2346        case VNC_AUTH_SASL:
2347            VNC_DEBUG("Accept SASL auth\n");
2348            start_auth_sasl(vs);
2349            break;
2350 #endif /* CONFIG_VNC_SASL */
2351 
2352        default: /* Should not be possible, but just in case */
2353            VNC_DEBUG("Reject auth %d server code bug\n", vs->auth);
2354            vnc_write_u8(vs, 1);
2355            if (vs->minor >= 8) {
2356                static const char err[] = "Authentication failed";
2357                vnc_write_u32(vs, sizeof(err));
2358                vnc_write(vs, err, sizeof(err));
2359            }
2360            vnc_client_error(vs);
2361        }
2362     }
2363     return 0;
2364 }
2365 
2366 static int protocol_version(VncState *vs, uint8_t *version, size_t len)
2367 {
2368     char local[13];
2369 
2370     memcpy(local, version, 12);
2371     local[12] = 0;
2372 
2373     if (sscanf(local, "RFB %03d.%03d\n", &vs->major, &vs->minor) != 2) {
2374         VNC_DEBUG("Malformed protocol version %s\n", local);
2375         vnc_client_error(vs);
2376         return 0;
2377     }
2378     VNC_DEBUG("Client request protocol version %d.%d\n", vs->major, vs->minor);
2379     if (vs->major != 3 ||
2380         (vs->minor != 3 &&
2381          vs->minor != 4 &&
2382          vs->minor != 5 &&
2383          vs->minor != 7 &&
2384          vs->minor != 8)) {
2385         VNC_DEBUG("Unsupported client version\n");
2386         vnc_write_u32(vs, VNC_AUTH_INVALID);
2387         vnc_flush(vs);
2388         vnc_client_error(vs);
2389         return 0;
2390     }
2391     /* Some broken clients report v3.4 or v3.5, which spec requires to be treated
2392      * as equivalent to v3.3 by servers
2393      */
2394     if (vs->minor == 4 || vs->minor == 5)
2395         vs->minor = 3;
2396 
2397     if (vs->minor == 3) {
2398         if (vs->auth == VNC_AUTH_NONE) {
2399             VNC_DEBUG("Tell client auth none\n");
2400             vnc_write_u32(vs, vs->auth);
2401             vnc_flush(vs);
2402             start_client_init(vs);
2403        } else if (vs->auth == VNC_AUTH_VNC) {
2404             VNC_DEBUG("Tell client VNC auth\n");
2405             vnc_write_u32(vs, vs->auth);
2406             vnc_flush(vs);
2407             start_auth_vnc(vs);
2408        } else {
2409             VNC_DEBUG("Unsupported auth %d for protocol 3.3\n", vs->auth);
2410             vnc_write_u32(vs, VNC_AUTH_INVALID);
2411             vnc_flush(vs);
2412             vnc_client_error(vs);
2413        }
2414     } else {
2415         VNC_DEBUG("Telling client we support auth %d\n", vs->auth);
2416         vnc_write_u8(vs, 1); /* num auth */
2417         vnc_write_u8(vs, vs->auth);
2418         vnc_read_when(vs, protocol_client_auth, 1);
2419         vnc_flush(vs);
2420     }
2421 
2422     return 0;
2423 }
2424 
2425 static VncRectStat *vnc_stat_rect(VncDisplay *vd, int x, int y)
2426 {
2427     struct VncSurface *vs = &vd->guest;
2428 
2429     return &vs->stats[y / VNC_STAT_RECT][x / VNC_STAT_RECT];
2430 }
2431 
2432 void vnc_sent_lossy_rect(VncState *vs, int x, int y, int w, int h)
2433 {
2434     int i, j;
2435 
2436     w = (x + w) / VNC_STAT_RECT;
2437     h = (y + h) / VNC_STAT_RECT;
2438     x /= VNC_STAT_RECT;
2439     y /= VNC_STAT_RECT;
2440 
2441     for (j = y; j <= h; j++) {
2442         for (i = x; i <= w; i++) {
2443             vs->lossy_rect[j][i] = 1;
2444         }
2445     }
2446 }
2447 
2448 static int vnc_refresh_lossy_rect(VncDisplay *vd, int x, int y)
2449 {
2450     VncState *vs;
2451     int sty = y / VNC_STAT_RECT;
2452     int stx = x / VNC_STAT_RECT;
2453     int has_dirty = 0;
2454 
2455     y = y / VNC_STAT_RECT * VNC_STAT_RECT;
2456     x = x / VNC_STAT_RECT * VNC_STAT_RECT;
2457 
2458     QTAILQ_FOREACH(vs, &vd->clients, next) {
2459         int j;
2460 
2461         /* kernel send buffers are full -> refresh later */
2462         if (vs->output.offset) {
2463             continue;
2464         }
2465 
2466         if (!vs->lossy_rect[sty][stx]) {
2467             continue;
2468         }
2469 
2470         vs->lossy_rect[sty][stx] = 0;
2471         for (j = 0; j < VNC_STAT_RECT; ++j) {
2472             bitmap_set(vs->dirty[y + j], x / 16, VNC_STAT_RECT / 16);
2473         }
2474         has_dirty++;
2475     }
2476 
2477     return has_dirty;
2478 }
2479 
2480 static int vnc_update_stats(VncDisplay *vd,  struct timeval * tv)
2481 {
2482     int width = pixman_image_get_width(vd->guest.fb);
2483     int height = pixman_image_get_height(vd->guest.fb);
2484     int x, y;
2485     struct timeval res;
2486     int has_dirty = 0;
2487 
2488     for (y = 0; y < height; y += VNC_STAT_RECT) {
2489         for (x = 0; x < width; x += VNC_STAT_RECT) {
2490             VncRectStat *rect = vnc_stat_rect(vd, x, y);
2491 
2492             rect->updated = false;
2493         }
2494     }
2495 
2496     qemu_timersub(tv, &VNC_REFRESH_STATS, &res);
2497 
2498     if (timercmp(&vd->guest.last_freq_check, &res, >)) {
2499         return has_dirty;
2500     }
2501     vd->guest.last_freq_check = *tv;
2502 
2503     for (y = 0; y < height; y += VNC_STAT_RECT) {
2504         for (x = 0; x < width; x += VNC_STAT_RECT) {
2505             VncRectStat *rect= vnc_stat_rect(vd, x, y);
2506             int count = ARRAY_SIZE(rect->times);
2507             struct timeval min, max;
2508 
2509             if (!timerisset(&rect->times[count - 1])) {
2510                 continue ;
2511             }
2512 
2513             max = rect->times[(rect->idx + count - 1) % count];
2514             qemu_timersub(tv, &max, &res);
2515 
2516             if (timercmp(&res, &VNC_REFRESH_LOSSY, >)) {
2517                 rect->freq = 0;
2518                 has_dirty += vnc_refresh_lossy_rect(vd, x, y);
2519                 memset(rect->times, 0, sizeof (rect->times));
2520                 continue ;
2521             }
2522 
2523             min = rect->times[rect->idx];
2524             max = rect->times[(rect->idx + count - 1) % count];
2525             qemu_timersub(&max, &min, &res);
2526 
2527             rect->freq = res.tv_sec + res.tv_usec / 1000000.;
2528             rect->freq /= count;
2529             rect->freq = 1. / rect->freq;
2530         }
2531     }
2532     return has_dirty;
2533 }
2534 
2535 double vnc_update_freq(VncState *vs, int x, int y, int w, int h)
2536 {
2537     int i, j;
2538     double total = 0;
2539     int num = 0;
2540 
2541     x =  (x / VNC_STAT_RECT) * VNC_STAT_RECT;
2542     y =  (y / VNC_STAT_RECT) * VNC_STAT_RECT;
2543 
2544     for (j = y; j <= y + h; j += VNC_STAT_RECT) {
2545         for (i = x; i <= x + w; i += VNC_STAT_RECT) {
2546             total += vnc_stat_rect(vs->vd, i, j)->freq;
2547             num++;
2548         }
2549     }
2550 
2551     if (num) {
2552         return total / num;
2553     } else {
2554         return 0;
2555     }
2556 }
2557 
2558 static void vnc_rect_updated(VncDisplay *vd, int x, int y, struct timeval * tv)
2559 {
2560     VncRectStat *rect;
2561 
2562     rect = vnc_stat_rect(vd, x, y);
2563     if (rect->updated) {
2564         return ;
2565     }
2566     rect->times[rect->idx] = *tv;
2567     rect->idx = (rect->idx + 1) % ARRAY_SIZE(rect->times);
2568     rect->updated = true;
2569 }
2570 
2571 static int vnc_refresh_server_surface(VncDisplay *vd)
2572 {
2573     int width = pixman_image_get_width(vd->guest.fb);
2574     int height = pixman_image_get_height(vd->guest.fb);
2575     int y;
2576     uint8_t *guest_row;
2577     uint8_t *server_row;
2578     int cmp_bytes;
2579     VncState *vs;
2580     int has_dirty = 0;
2581     pixman_image_t *tmpbuf = NULL;
2582 
2583     struct timeval tv = { 0, 0 };
2584 
2585     if (!vd->non_adaptive) {
2586         gettimeofday(&tv, NULL);
2587         has_dirty = vnc_update_stats(vd, &tv);
2588     }
2589 
2590     /*
2591      * Walk through the guest dirty map.
2592      * Check and copy modified bits from guest to server surface.
2593      * Update server dirty map.
2594      */
2595     cmp_bytes = 64;
2596     if (cmp_bytes > vnc_server_fb_stride(vd)) {
2597         cmp_bytes = vnc_server_fb_stride(vd);
2598     }
2599     if (vd->guest.format != VNC_SERVER_FB_FORMAT) {
2600         int width = pixman_image_get_width(vd->server);
2601         tmpbuf = qemu_pixman_linebuf_create(VNC_SERVER_FB_FORMAT, width);
2602     }
2603     guest_row = (uint8_t *)pixman_image_get_data(vd->guest.fb);
2604     server_row = (uint8_t *)pixman_image_get_data(vd->server);
2605     for (y = 0; y < height; y++) {
2606         if (!bitmap_empty(vd->guest.dirty[y], VNC_DIRTY_BITS)) {
2607             int x;
2608             uint8_t *guest_ptr;
2609             uint8_t *server_ptr;
2610 
2611             if (vd->guest.format != VNC_SERVER_FB_FORMAT) {
2612                 qemu_pixman_linebuf_fill(tmpbuf, vd->guest.fb, width, 0, y);
2613                 guest_ptr = (uint8_t *)pixman_image_get_data(tmpbuf);
2614             } else {
2615                 guest_ptr = guest_row;
2616             }
2617             server_ptr = server_row;
2618 
2619             for (x = 0; x + 15 < width;
2620                     x += 16, guest_ptr += cmp_bytes, server_ptr += cmp_bytes) {
2621                 if (!test_and_clear_bit((x / 16), vd->guest.dirty[y]))
2622                     continue;
2623                 if (memcmp(server_ptr, guest_ptr, cmp_bytes) == 0)
2624                     continue;
2625                 memcpy(server_ptr, guest_ptr, cmp_bytes);
2626                 if (!vd->non_adaptive)
2627                     vnc_rect_updated(vd, x, y, &tv);
2628                 QTAILQ_FOREACH(vs, &vd->clients, next) {
2629                     set_bit((x / 16), vs->dirty[y]);
2630                 }
2631                 has_dirty++;
2632             }
2633         }
2634         guest_row  += pixman_image_get_stride(vd->guest.fb);
2635         server_row += pixman_image_get_stride(vd->server);
2636     }
2637     qemu_pixman_image_unref(tmpbuf);
2638     return has_dirty;
2639 }
2640 
2641 static void vnc_refresh(DisplayChangeListener *dcl)
2642 {
2643     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
2644     VncState *vs, *vn;
2645     int has_dirty, rects = 0;
2646 
2647     graphic_hw_update(NULL);
2648 
2649     if (vnc_trylock_display(vd)) {
2650         update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
2651         return;
2652     }
2653 
2654     has_dirty = vnc_refresh_server_surface(vd);
2655     vnc_unlock_display(vd);
2656 
2657     QTAILQ_FOREACH_SAFE(vs, &vd->clients, next, vn) {
2658         rects += vnc_update_client(vs, has_dirty);
2659         /* vs might be free()ed here */
2660     }
2661 
2662     if (QTAILQ_EMPTY(&vd->clients)) {
2663         update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_MAX);
2664         return;
2665     }
2666 
2667     if (has_dirty && rects) {
2668         vd->dcl.update_interval /= 2;
2669         if (vd->dcl.update_interval < VNC_REFRESH_INTERVAL_BASE) {
2670             vd->dcl.update_interval = VNC_REFRESH_INTERVAL_BASE;
2671         }
2672     } else {
2673         vd->dcl.update_interval += VNC_REFRESH_INTERVAL_INC;
2674         if (vd->dcl.update_interval > VNC_REFRESH_INTERVAL_MAX) {
2675             vd->dcl.update_interval = VNC_REFRESH_INTERVAL_MAX;
2676         }
2677     }
2678 }
2679 
2680 static void vnc_connect(VncDisplay *vd, int csock, int skipauth, bool websocket)
2681 {
2682     VncState *vs = g_malloc0(sizeof(VncState));
2683     int i;
2684 
2685     vs->csock = csock;
2686 
2687     if (skipauth) {
2688 	vs->auth = VNC_AUTH_NONE;
2689 #ifdef CONFIG_VNC_TLS
2690 	vs->subauth = VNC_AUTH_INVALID;
2691 #endif
2692     } else {
2693 	vs->auth = vd->auth;
2694 #ifdef CONFIG_VNC_TLS
2695 	vs->subauth = vd->subauth;
2696 #endif
2697     }
2698 
2699     vs->lossy_rect = g_malloc0(VNC_STAT_ROWS * sizeof (*vs->lossy_rect));
2700     for (i = 0; i < VNC_STAT_ROWS; ++i) {
2701         vs->lossy_rect[i] = g_malloc0(VNC_STAT_COLS * sizeof (uint8_t));
2702     }
2703 
2704     VNC_DEBUG("New client on socket %d\n", csock);
2705     update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
2706     qemu_set_nonblock(vs->csock);
2707 #ifdef CONFIG_VNC_WS
2708     if (websocket) {
2709         vs->websocket = 1;
2710         qemu_set_fd_handler2(vs->csock, NULL, vncws_handshake_read, NULL, vs);
2711     } else
2712 #endif /* CONFIG_VNC_WS */
2713     {
2714         qemu_set_fd_handler2(vs->csock, NULL, vnc_client_read, NULL, vs);
2715     }
2716 
2717     vnc_client_cache_addr(vs);
2718     vnc_qmp_event(vs, QEVENT_VNC_CONNECTED);
2719     vnc_set_share_mode(vs, VNC_SHARE_MODE_CONNECTING);
2720 
2721     vs->vd = vd;
2722 
2723 #ifdef CONFIG_VNC_WS
2724     if (!vs->websocket)
2725 #endif
2726     {
2727         vnc_init_state(vs);
2728     }
2729 }
2730 
2731 void vnc_init_state(VncState *vs)
2732 {
2733     vs->initialized = true;
2734     VncDisplay *vd = vs->vd;
2735 
2736     vs->last_x = -1;
2737     vs->last_y = -1;
2738 
2739     vs->as.freq = 44100;
2740     vs->as.nchannels = 2;
2741     vs->as.fmt = AUD_FMT_S16;
2742     vs->as.endianness = 0;
2743 
2744     qemu_mutex_init(&vs->output_mutex);
2745     vs->bh = qemu_bh_new(vnc_jobs_bh, vs);
2746 
2747     QTAILQ_INSERT_HEAD(&vd->clients, vs, next);
2748 
2749     graphic_hw_update(NULL);
2750 
2751     vnc_write(vs, "RFB 003.008\n", 12);
2752     vnc_flush(vs);
2753     vnc_read_when(vs, protocol_version, 12);
2754     reset_keys(vs);
2755     if (vs->vd->lock_key_sync)
2756         vs->led = qemu_add_led_event_handler(kbd_leds, vs);
2757 
2758     vs->mouse_mode_notifier.notify = check_pointer_type_change;
2759     qemu_add_mouse_mode_change_notifier(&vs->mouse_mode_notifier);
2760 
2761     /* vs might be free()ed here */
2762 }
2763 
2764 static void vnc_listen_read(void *opaque, bool websocket)
2765 {
2766     VncDisplay *vs = opaque;
2767     struct sockaddr_in addr;
2768     socklen_t addrlen = sizeof(addr);
2769     int csock;
2770 
2771     /* Catch-up */
2772     graphic_hw_update(NULL);
2773 #ifdef CONFIG_VNC_WS
2774     if (websocket) {
2775         csock = qemu_accept(vs->lwebsock, (struct sockaddr *)&addr, &addrlen);
2776     } else
2777 #endif /* CONFIG_VNC_WS */
2778     {
2779         csock = qemu_accept(vs->lsock, (struct sockaddr *)&addr, &addrlen);
2780     }
2781 
2782     if (csock != -1) {
2783         vnc_connect(vs, csock, 0, websocket);
2784     }
2785 }
2786 
2787 static void vnc_listen_regular_read(void *opaque)
2788 {
2789     vnc_listen_read(opaque, 0);
2790 }
2791 
2792 #ifdef CONFIG_VNC_WS
2793 static void vnc_listen_websocket_read(void *opaque)
2794 {
2795     vnc_listen_read(opaque, 1);
2796 }
2797 #endif /* CONFIG_VNC_WS */
2798 
2799 static const DisplayChangeListenerOps dcl_ops = {
2800     .dpy_name          = "vnc",
2801     .dpy_refresh       = vnc_refresh,
2802     .dpy_gfx_copy      = vnc_dpy_copy,
2803     .dpy_gfx_update    = vnc_dpy_update,
2804     .dpy_gfx_switch    = vnc_dpy_switch,
2805     .dpy_mouse_set     = vnc_mouse_set,
2806     .dpy_cursor_define = vnc_dpy_cursor_define,
2807 };
2808 
2809 void vnc_display_init(DisplayState *ds)
2810 {
2811     VncDisplay *vs = g_malloc0(sizeof(*vs));
2812 
2813     vnc_display = vs;
2814 
2815     vs->lsock = -1;
2816 #ifdef CONFIG_VNC_WS
2817     vs->lwebsock = -1;
2818 #endif
2819 
2820     QTAILQ_INIT(&vs->clients);
2821     vs->expires = TIME_MAX;
2822 
2823     if (keyboard_layout)
2824         vs->kbd_layout = init_keyboard_layout(name2keysym, keyboard_layout);
2825     else
2826         vs->kbd_layout = init_keyboard_layout(name2keysym, "en-us");
2827 
2828     if (!vs->kbd_layout)
2829         exit(1);
2830 
2831     qemu_mutex_init(&vs->mutex);
2832     vnc_start_worker_thread();
2833 
2834     vs->dcl.ops = &dcl_ops;
2835     register_displaychangelistener(ds, &vs->dcl);
2836 }
2837 
2838 
2839 static void vnc_display_close(DisplayState *ds)
2840 {
2841     VncDisplay *vs = vnc_display;
2842 
2843     if (!vs)
2844         return;
2845     if (vs->display) {
2846         g_free(vs->display);
2847         vs->display = NULL;
2848     }
2849     if (vs->lsock != -1) {
2850         qemu_set_fd_handler2(vs->lsock, NULL, NULL, NULL, NULL);
2851         close(vs->lsock);
2852         vs->lsock = -1;
2853     }
2854 #ifdef CONFIG_VNC_WS
2855     g_free(vs->ws_display);
2856     vs->ws_display = NULL;
2857     if (vs->lwebsock != -1) {
2858         qemu_set_fd_handler2(vs->lwebsock, NULL, NULL, NULL, NULL);
2859         close(vs->lwebsock);
2860         vs->lwebsock = -1;
2861     }
2862 #endif /* CONFIG_VNC_WS */
2863     vs->auth = VNC_AUTH_INVALID;
2864 #ifdef CONFIG_VNC_TLS
2865     vs->subauth = VNC_AUTH_INVALID;
2866     vs->tls.x509verify = 0;
2867 #endif
2868 }
2869 
2870 static int vnc_display_disable_login(DisplayState *ds)
2871 {
2872     VncDisplay *vs = vnc_display;
2873 
2874     if (!vs) {
2875         return -1;
2876     }
2877 
2878     if (vs->password) {
2879         g_free(vs->password);
2880     }
2881 
2882     vs->password = NULL;
2883     if (vs->auth == VNC_AUTH_NONE) {
2884         vs->auth = VNC_AUTH_VNC;
2885     }
2886 
2887     return 0;
2888 }
2889 
2890 int vnc_display_password(DisplayState *ds, const char *password)
2891 {
2892     VncDisplay *vs = vnc_display;
2893 
2894     if (!vs) {
2895         return -EINVAL;
2896     }
2897 
2898     if (!password) {
2899         /* This is not the intention of this interface but err on the side
2900            of being safe */
2901         return vnc_display_disable_login(ds);
2902     }
2903 
2904     if (vs->password) {
2905         g_free(vs->password);
2906         vs->password = NULL;
2907     }
2908     vs->password = g_strdup(password);
2909     if (vs->auth == VNC_AUTH_NONE) {
2910         vs->auth = VNC_AUTH_VNC;
2911     }
2912 
2913     return 0;
2914 }
2915 
2916 int vnc_display_pw_expire(DisplayState *ds, time_t expires)
2917 {
2918     VncDisplay *vs = vnc_display;
2919 
2920     if (!vs) {
2921         return -EINVAL;
2922     }
2923 
2924     vs->expires = expires;
2925     return 0;
2926 }
2927 
2928 char *vnc_display_local_addr(DisplayState *ds)
2929 {
2930     VncDisplay *vs = vnc_display;
2931 
2932     return vnc_socket_local_addr("%s:%s", vs->lsock);
2933 }
2934 
2935 void vnc_display_open(DisplayState *ds, const char *display, Error **errp)
2936 {
2937     VncDisplay *vs = vnc_display;
2938     const char *options;
2939     int password = 0;
2940     int reverse = 0;
2941 #ifdef CONFIG_VNC_TLS
2942     int tls = 0, x509 = 0;
2943 #endif
2944 #ifdef CONFIG_VNC_SASL
2945     int sasl = 0;
2946     int saslErr;
2947 #endif
2948 #if defined(CONFIG_VNC_TLS) || defined(CONFIG_VNC_SASL)
2949     int acl = 0;
2950 #endif
2951     int lock_key_sync = 1;
2952 
2953     if (!vnc_display) {
2954         error_setg(errp, "VNC display not active");
2955         return;
2956     }
2957     vnc_display_close(ds);
2958     if (strcmp(display, "none") == 0)
2959         return;
2960 
2961     vs->display = g_strdup(display);
2962     vs->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
2963 
2964     options = display;
2965     while ((options = strchr(options, ','))) {
2966         options++;
2967         if (strncmp(options, "password", 8) == 0) {
2968             if (fips_get_state()) {
2969                 error_setg(errp,
2970                            "VNC password auth disabled due to FIPS mode, "
2971                            "consider using the VeNCrypt or SASL authentication "
2972                            "methods as an alternative");
2973                 goto fail;
2974             }
2975             password = 1; /* Require password auth */
2976         } else if (strncmp(options, "reverse", 7) == 0) {
2977             reverse = 1;
2978         } else if (strncmp(options, "no-lock-key-sync", 16) == 0) {
2979             lock_key_sync = 0;
2980 #ifdef CONFIG_VNC_SASL
2981         } else if (strncmp(options, "sasl", 4) == 0) {
2982             sasl = 1; /* Require SASL auth */
2983 #endif
2984 #ifdef CONFIG_VNC_WS
2985         } else if (strncmp(options, "websocket", 9) == 0) {
2986             char *start, *end;
2987             vs->websocket = 1;
2988 
2989             /* Check for 'websocket=<port>' */
2990             start = strchr(options, '=');
2991             end = strchr(options, ',');
2992             if (start && (!end || (start < end))) {
2993                 int len = end ? end-(start+1) : strlen(start+1);
2994                 if (len < 6) {
2995                     /* extract the host specification from display */
2996                     char  *host = NULL, *port = NULL, *host_end = NULL;
2997                     port = g_strndup(start + 1, len);
2998 
2999                     /* ipv6 hosts have colons */
3000                     end = strchr(display, ',');
3001                     host_end = g_strrstr_len(display, end - display, ":");
3002 
3003                     if (host_end) {
3004                         host = g_strndup(display, host_end - display + 1);
3005                     } else {
3006                         host = g_strndup(":", 1);
3007                     }
3008                     vs->ws_display = g_strconcat(host, port, NULL);
3009                     g_free(host);
3010                     g_free(port);
3011                 }
3012             }
3013 #endif /* CONFIG_VNC_WS */
3014 #ifdef CONFIG_VNC_TLS
3015         } else if (strncmp(options, "tls", 3) == 0) {
3016             tls = 1; /* Require TLS */
3017         } else if (strncmp(options, "x509", 4) == 0) {
3018             char *start, *end;
3019             x509 = 1; /* Require x509 certificates */
3020             if (strncmp(options, "x509verify", 10) == 0)
3021                 vs->tls.x509verify = 1; /* ...and verify client certs */
3022 
3023             /* Now check for 'x509=/some/path' postfix
3024              * and use that to setup x509 certificate/key paths */
3025             start = strchr(options, '=');
3026             end = strchr(options, ',');
3027             if (start && (!end || (start < end))) {
3028                 int len = end ? end-(start+1) : strlen(start+1);
3029                 char *path = g_strndup(start + 1, len);
3030 
3031                 VNC_DEBUG("Trying certificate path '%s'\n", path);
3032                 if (vnc_tls_set_x509_creds_dir(vs, path) < 0) {
3033                     error_setg(errp, "Failed to find x509 certificates/keys in %s", path);
3034                     g_free(path);
3035                     goto fail;
3036                 }
3037                 g_free(path);
3038             } else {
3039                 error_setg(errp, "No certificate path provided");
3040                 goto fail;
3041             }
3042 #endif
3043 #if defined(CONFIG_VNC_TLS) || defined(CONFIG_VNC_SASL)
3044         } else if (strncmp(options, "acl", 3) == 0) {
3045             acl = 1;
3046 #endif
3047         } else if (strncmp(options, "lossy", 5) == 0) {
3048             vs->lossy = true;
3049         } else if (strncmp(options, "non-adaptive", 12) == 0) {
3050             vs->non_adaptive = true;
3051         } else if (strncmp(options, "share=", 6) == 0) {
3052             if (strncmp(options+6, "ignore", 6) == 0) {
3053                 vs->share_policy = VNC_SHARE_POLICY_IGNORE;
3054             } else if (strncmp(options+6, "allow-exclusive", 15) == 0) {
3055                 vs->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
3056             } else if (strncmp(options+6, "force-shared", 12) == 0) {
3057                 vs->share_policy = VNC_SHARE_POLICY_FORCE_SHARED;
3058             } else {
3059                 error_setg(errp, "unknown vnc share= option");
3060                 goto fail;
3061             }
3062         }
3063     }
3064 
3065 #ifdef CONFIG_VNC_TLS
3066     if (acl && x509 && vs->tls.x509verify) {
3067         if (!(vs->tls.acl = qemu_acl_init("vnc.x509dname"))) {
3068             fprintf(stderr, "Failed to create x509 dname ACL\n");
3069             exit(1);
3070         }
3071     }
3072 #endif
3073 #ifdef CONFIG_VNC_SASL
3074     if (acl && sasl) {
3075         if (!(vs->sasl.acl = qemu_acl_init("vnc.username"))) {
3076             fprintf(stderr, "Failed to create username ACL\n");
3077             exit(1);
3078         }
3079     }
3080 #endif
3081 
3082     /*
3083      * Combinations we support here:
3084      *
3085      *  - no-auth                (clear text, no auth)
3086      *  - password               (clear text, weak auth)
3087      *  - sasl                   (encrypt, good auth *IF* using Kerberos via GSSAPI)
3088      *  - tls                    (encrypt, weak anonymous creds, no auth)
3089      *  - tls + password         (encrypt, weak anonymous creds, weak auth)
3090      *  - tls + sasl             (encrypt, weak anonymous creds, good auth)
3091      *  - tls + x509             (encrypt, good x509 creds, no auth)
3092      *  - tls + x509 + password  (encrypt, good x509 creds, weak auth)
3093      *  - tls + x509 + sasl      (encrypt, good x509 creds, good auth)
3094      *
3095      * NB1. TLS is a stackable auth scheme.
3096      * NB2. the x509 schemes have option to validate a client cert dname
3097      */
3098     if (password) {
3099 #ifdef CONFIG_VNC_TLS
3100         if (tls) {
3101             vs->auth = VNC_AUTH_VENCRYPT;
3102             if (x509) {
3103                 VNC_DEBUG("Initializing VNC server with x509 password auth\n");
3104                 vs->subauth = VNC_AUTH_VENCRYPT_X509VNC;
3105             } else {
3106                 VNC_DEBUG("Initializing VNC server with TLS password auth\n");
3107                 vs->subauth = VNC_AUTH_VENCRYPT_TLSVNC;
3108             }
3109         } else {
3110 #endif /* CONFIG_VNC_TLS */
3111             VNC_DEBUG("Initializing VNC server with password auth\n");
3112             vs->auth = VNC_AUTH_VNC;
3113 #ifdef CONFIG_VNC_TLS
3114             vs->subauth = VNC_AUTH_INVALID;
3115         }
3116 #endif /* CONFIG_VNC_TLS */
3117 #ifdef CONFIG_VNC_SASL
3118     } else if (sasl) {
3119 #ifdef CONFIG_VNC_TLS
3120         if (tls) {
3121             vs->auth = VNC_AUTH_VENCRYPT;
3122             if (x509) {
3123                 VNC_DEBUG("Initializing VNC server with x509 SASL auth\n");
3124                 vs->subauth = VNC_AUTH_VENCRYPT_X509SASL;
3125             } else {
3126                 VNC_DEBUG("Initializing VNC server with TLS SASL auth\n");
3127                 vs->subauth = VNC_AUTH_VENCRYPT_TLSSASL;
3128             }
3129         } else {
3130 #endif /* CONFIG_VNC_TLS */
3131             VNC_DEBUG("Initializing VNC server with SASL auth\n");
3132             vs->auth = VNC_AUTH_SASL;
3133 #ifdef CONFIG_VNC_TLS
3134             vs->subauth = VNC_AUTH_INVALID;
3135         }
3136 #endif /* CONFIG_VNC_TLS */
3137 #endif /* CONFIG_VNC_SASL */
3138     } else {
3139 #ifdef CONFIG_VNC_TLS
3140         if (tls) {
3141             vs->auth = VNC_AUTH_VENCRYPT;
3142             if (x509) {
3143                 VNC_DEBUG("Initializing VNC server with x509 no auth\n");
3144                 vs->subauth = VNC_AUTH_VENCRYPT_X509NONE;
3145             } else {
3146                 VNC_DEBUG("Initializing VNC server with TLS no auth\n");
3147                 vs->subauth = VNC_AUTH_VENCRYPT_TLSNONE;
3148             }
3149         } else {
3150 #endif
3151             VNC_DEBUG("Initializing VNC server with no auth\n");
3152             vs->auth = VNC_AUTH_NONE;
3153 #ifdef CONFIG_VNC_TLS
3154             vs->subauth = VNC_AUTH_INVALID;
3155         }
3156 #endif
3157     }
3158 
3159 #ifdef CONFIG_VNC_SASL
3160     if ((saslErr = sasl_server_init(NULL, "qemu")) != SASL_OK) {
3161         error_setg(errp, "Failed to initialize SASL auth: %s",
3162                    sasl_errstring(saslErr, NULL, NULL));
3163         goto fail;
3164     }
3165 #endif
3166     vs->lock_key_sync = lock_key_sync;
3167 
3168     if (reverse) {
3169         /* connect to viewer */
3170         int csock;
3171         vs->lsock = -1;
3172 #ifdef CONFIG_VNC_WS
3173         vs->lwebsock = -1;
3174 #endif
3175         if (strncmp(display, "unix:", 5) == 0) {
3176             csock = unix_connect(display+5, errp);
3177         } else {
3178             csock = inet_connect(display, errp);
3179         }
3180         if (csock < 0) {
3181             goto fail;
3182         }
3183         vnc_connect(vs, csock, 0, 0);
3184     } else {
3185         /* listen for connects */
3186         char *dpy;
3187         dpy = g_malloc(256);
3188         if (strncmp(display, "unix:", 5) == 0) {
3189             pstrcpy(dpy, 256, "unix:");
3190             vs->lsock = unix_listen(display+5, dpy+5, 256-5, errp);
3191         } else {
3192             vs->lsock = inet_listen(display, dpy, 256,
3193                                     SOCK_STREAM, 5900, errp);
3194             if (vs->lsock < 0) {
3195                 g_free(dpy);
3196                 goto fail;
3197             }
3198 #ifdef CONFIG_VNC_WS
3199             if (vs->websocket) {
3200                 if (vs->ws_display) {
3201                     vs->lwebsock = inet_listen(vs->ws_display, NULL, 256,
3202                         SOCK_STREAM, 0, errp);
3203                 } else {
3204                     vs->lwebsock = inet_listen(vs->display, NULL, 256,
3205                         SOCK_STREAM, 5700, errp);
3206                 }
3207 
3208                 if (vs->lwebsock < 0) {
3209                     if (vs->lsock) {
3210                         close(vs->lsock);
3211                         vs->lsock = -1;
3212                     }
3213                     g_free(dpy);
3214                     goto fail;
3215                 }
3216             }
3217 #endif /* CONFIG_VNC_WS */
3218         }
3219         g_free(vs->display);
3220         vs->display = dpy;
3221         qemu_set_fd_handler2(vs->lsock, NULL,
3222                 vnc_listen_regular_read, NULL, vs);
3223 #ifdef CONFIG_VNC_WS
3224         if (vs->websocket) {
3225             qemu_set_fd_handler2(vs->lwebsock, NULL,
3226                     vnc_listen_websocket_read, NULL, vs);
3227         }
3228 #endif /* CONFIG_VNC_WS */
3229     }
3230     return;
3231 
3232 fail:
3233     g_free(vs->display);
3234     vs->display = NULL;
3235 #ifdef CONFIG_VNC_WS
3236     g_free(vs->ws_display);
3237     vs->ws_display = NULL;
3238 #endif /* CONFIG_VNC_WS */
3239 }
3240 
3241 void vnc_display_add_client(DisplayState *ds, int csock, int skipauth)
3242 {
3243     VncDisplay *vs = vnc_display;
3244 
3245     vnc_connect(vs, csock, skipauth, 0);
3246 }
3247