xref: /openbmc/qemu/ui/vnc.c (revision e9e51b71)
1 /*
2  * QEMU VNC display driver
3  *
4  * Copyright (C) 2006 Anthony Liguori <anthony@codemonkey.ws>
5  * Copyright (C) 2006 Fabrice Bellard
6  * Copyright (C) 2009 Red Hat, Inc
7  *
8  * Permission is hereby granted, free of charge, to any person obtaining a copy
9  * of this software and associated documentation files (the "Software"), to deal
10  * in the Software without restriction, including without limitation the rights
11  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
12  * copies of the Software, and to permit persons to whom the Software is
13  * furnished to do so, subject to the following conditions:
14  *
15  * The above copyright notice and this permission notice shall be included in
16  * all copies or substantial portions of the Software.
17  *
18  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
19  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
20  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
21  * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
22  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
23  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
24  * THE SOFTWARE.
25  */
26 
27 #include "qemu/osdep.h"
28 #include "vnc.h"
29 #include "vnc-jobs.h"
30 #include "trace.h"
31 #include "hw/qdev-core.h"
32 #include "sysemu/sysemu.h"
33 #include "sysemu/runstate.h"
34 #include "qemu/error-report.h"
35 #include "qemu/main-loop.h"
36 #include "qemu/module.h"
37 #include "qemu/option.h"
38 #include "qemu/sockets.h"
39 #include "qemu/timer.h"
40 #include "authz/list.h"
41 #include "qemu/config-file.h"
42 #include "qapi/qapi-emit-events.h"
43 #include "qapi/qapi-events-ui.h"
44 #include "qapi/error.h"
45 #include "qapi/qapi-commands-ui.h"
46 #include "ui/input.h"
47 #include "crypto/hash.h"
48 #include "crypto/tlscredsanon.h"
49 #include "crypto/tlscredsx509.h"
50 #include "crypto/random.h"
51 #include "qom/object_interfaces.h"
52 #include "qemu/cutils.h"
53 #include "qemu/help_option.h"
54 #include "io/dns-resolver.h"
55 
56 #define VNC_REFRESH_INTERVAL_BASE GUI_REFRESH_INTERVAL_DEFAULT
57 #define VNC_REFRESH_INTERVAL_INC  50
58 #define VNC_REFRESH_INTERVAL_MAX  GUI_REFRESH_INTERVAL_IDLE
59 static const struct timeval VNC_REFRESH_STATS = { 0, 500000 };
60 static const struct timeval VNC_REFRESH_LOSSY = { 2, 0 };
61 
62 #include "vnc_keysym.h"
63 #include "crypto/cipher.h"
64 
65 static QTAILQ_HEAD(, VncDisplay) vnc_displays =
66     QTAILQ_HEAD_INITIALIZER(vnc_displays);
67 
68 static int vnc_cursor_define(VncState *vs);
69 static void vnc_update_throttle_offset(VncState *vs);
70 
71 static void vnc_set_share_mode(VncState *vs, VncShareMode mode)
72 {
73 #ifdef _VNC_DEBUG
74     static const char *mn[] = {
75         [0]                           = "undefined",
76         [VNC_SHARE_MODE_CONNECTING]   = "connecting",
77         [VNC_SHARE_MODE_SHARED]       = "shared",
78         [VNC_SHARE_MODE_EXCLUSIVE]    = "exclusive",
79         [VNC_SHARE_MODE_DISCONNECTED] = "disconnected",
80     };
81     fprintf(stderr, "%s/%p: %s -> %s\n", __func__,
82             vs->ioc, mn[vs->share_mode], mn[mode]);
83 #endif
84 
85     switch (vs->share_mode) {
86     case VNC_SHARE_MODE_CONNECTING:
87         vs->vd->num_connecting--;
88         break;
89     case VNC_SHARE_MODE_SHARED:
90         vs->vd->num_shared--;
91         break;
92     case VNC_SHARE_MODE_EXCLUSIVE:
93         vs->vd->num_exclusive--;
94         break;
95     default:
96         break;
97     }
98 
99     vs->share_mode = mode;
100 
101     switch (vs->share_mode) {
102     case VNC_SHARE_MODE_CONNECTING:
103         vs->vd->num_connecting++;
104         break;
105     case VNC_SHARE_MODE_SHARED:
106         vs->vd->num_shared++;
107         break;
108     case VNC_SHARE_MODE_EXCLUSIVE:
109         vs->vd->num_exclusive++;
110         break;
111     default:
112         break;
113     }
114 }
115 
116 
117 static void vnc_init_basic_info(SocketAddress *addr,
118                                 VncBasicInfo *info,
119                                 Error **errp)
120 {
121     switch (addr->type) {
122     case SOCKET_ADDRESS_TYPE_INET:
123         info->host = g_strdup(addr->u.inet.host);
124         info->service = g_strdup(addr->u.inet.port);
125         if (addr->u.inet.ipv6) {
126             info->family = NETWORK_ADDRESS_FAMILY_IPV6;
127         } else {
128             info->family = NETWORK_ADDRESS_FAMILY_IPV4;
129         }
130         break;
131 
132     case SOCKET_ADDRESS_TYPE_UNIX:
133         info->host = g_strdup("");
134         info->service = g_strdup(addr->u.q_unix.path);
135         info->family = NETWORK_ADDRESS_FAMILY_UNIX;
136         break;
137 
138     case SOCKET_ADDRESS_TYPE_VSOCK:
139     case SOCKET_ADDRESS_TYPE_FD:
140         error_setg(errp, "Unsupported socket address type %s",
141                    SocketAddressType_str(addr->type));
142         break;
143     default:
144         abort();
145     }
146 
147     return;
148 }
149 
150 static void vnc_init_basic_info_from_server_addr(QIOChannelSocket *ioc,
151                                                  VncBasicInfo *info,
152                                                  Error **errp)
153 {
154     SocketAddress *addr = NULL;
155 
156     if (!ioc) {
157         error_setg(errp, "No listener socket available");
158         return;
159     }
160 
161     addr = qio_channel_socket_get_local_address(ioc, errp);
162     if (!addr) {
163         return;
164     }
165 
166     vnc_init_basic_info(addr, info, errp);
167     qapi_free_SocketAddress(addr);
168 }
169 
170 static void vnc_init_basic_info_from_remote_addr(QIOChannelSocket *ioc,
171                                                  VncBasicInfo *info,
172                                                  Error **errp)
173 {
174     SocketAddress *addr = NULL;
175 
176     addr = qio_channel_socket_get_remote_address(ioc, errp);
177     if (!addr) {
178         return;
179     }
180 
181     vnc_init_basic_info(addr, info, errp);
182     qapi_free_SocketAddress(addr);
183 }
184 
185 static const char *vnc_auth_name(VncDisplay *vd) {
186     switch (vd->auth) {
187     case VNC_AUTH_INVALID:
188         return "invalid";
189     case VNC_AUTH_NONE:
190         return "none";
191     case VNC_AUTH_VNC:
192         return "vnc";
193     case VNC_AUTH_RA2:
194         return "ra2";
195     case VNC_AUTH_RA2NE:
196         return "ra2ne";
197     case VNC_AUTH_TIGHT:
198         return "tight";
199     case VNC_AUTH_ULTRA:
200         return "ultra";
201     case VNC_AUTH_TLS:
202         return "tls";
203     case VNC_AUTH_VENCRYPT:
204         switch (vd->subauth) {
205         case VNC_AUTH_VENCRYPT_PLAIN:
206             return "vencrypt+plain";
207         case VNC_AUTH_VENCRYPT_TLSNONE:
208             return "vencrypt+tls+none";
209         case VNC_AUTH_VENCRYPT_TLSVNC:
210             return "vencrypt+tls+vnc";
211         case VNC_AUTH_VENCRYPT_TLSPLAIN:
212             return "vencrypt+tls+plain";
213         case VNC_AUTH_VENCRYPT_X509NONE:
214             return "vencrypt+x509+none";
215         case VNC_AUTH_VENCRYPT_X509VNC:
216             return "vencrypt+x509+vnc";
217         case VNC_AUTH_VENCRYPT_X509PLAIN:
218             return "vencrypt+x509+plain";
219         case VNC_AUTH_VENCRYPT_TLSSASL:
220             return "vencrypt+tls+sasl";
221         case VNC_AUTH_VENCRYPT_X509SASL:
222             return "vencrypt+x509+sasl";
223         default:
224             return "vencrypt";
225         }
226     case VNC_AUTH_SASL:
227         return "sasl";
228     }
229     return "unknown";
230 }
231 
232 static VncServerInfo *vnc_server_info_get(VncDisplay *vd)
233 {
234     VncServerInfo *info;
235     Error *err = NULL;
236 
237     if (!vd->listener || !vd->listener->nsioc) {
238         return NULL;
239     }
240 
241     info = g_malloc0(sizeof(*info));
242     vnc_init_basic_info_from_server_addr(vd->listener->sioc[0],
243                                          qapi_VncServerInfo_base(info), &err);
244     info->has_auth = true;
245     info->auth = g_strdup(vnc_auth_name(vd));
246     if (err) {
247         qapi_free_VncServerInfo(info);
248         info = NULL;
249         error_free(err);
250     }
251     return info;
252 }
253 
254 static void vnc_client_cache_auth(VncState *client)
255 {
256     if (!client->info) {
257         return;
258     }
259 
260     if (client->tls) {
261         client->info->x509_dname =
262             qcrypto_tls_session_get_peer_name(client->tls);
263         client->info->has_x509_dname =
264             client->info->x509_dname != NULL;
265     }
266 #ifdef CONFIG_VNC_SASL
267     if (client->sasl.conn &&
268         client->sasl.username) {
269         client->info->has_sasl_username = true;
270         client->info->sasl_username = g_strdup(client->sasl.username);
271     }
272 #endif
273 }
274 
275 static void vnc_client_cache_addr(VncState *client)
276 {
277     Error *err = NULL;
278 
279     client->info = g_malloc0(sizeof(*client->info));
280     vnc_init_basic_info_from_remote_addr(client->sioc,
281                                          qapi_VncClientInfo_base(client->info),
282                                          &err);
283     client->info->websocket = client->websocket;
284     if (err) {
285         qapi_free_VncClientInfo(client->info);
286         client->info = NULL;
287         error_free(err);
288     }
289 }
290 
291 static void vnc_qmp_event(VncState *vs, QAPIEvent event)
292 {
293     VncServerInfo *si;
294 
295     if (!vs->info) {
296         return;
297     }
298 
299     si = vnc_server_info_get(vs->vd);
300     if (!si) {
301         return;
302     }
303 
304     switch (event) {
305     case QAPI_EVENT_VNC_CONNECTED:
306         qapi_event_send_vnc_connected(si, qapi_VncClientInfo_base(vs->info));
307         break;
308     case QAPI_EVENT_VNC_INITIALIZED:
309         qapi_event_send_vnc_initialized(si, vs->info);
310         break;
311     case QAPI_EVENT_VNC_DISCONNECTED:
312         qapi_event_send_vnc_disconnected(si, vs->info);
313         break;
314     default:
315         break;
316     }
317 
318     qapi_free_VncServerInfo(si);
319 }
320 
321 static VncClientInfo *qmp_query_vnc_client(const VncState *client)
322 {
323     VncClientInfo *info;
324     Error *err = NULL;
325 
326     info = g_malloc0(sizeof(*info));
327 
328     vnc_init_basic_info_from_remote_addr(client->sioc,
329                                          qapi_VncClientInfo_base(info),
330                                          &err);
331     if (err) {
332         error_free(err);
333         qapi_free_VncClientInfo(info);
334         return NULL;
335     }
336 
337     info->websocket = client->websocket;
338 
339     if (client->tls) {
340         info->x509_dname = qcrypto_tls_session_get_peer_name(client->tls);
341         info->has_x509_dname = info->x509_dname != NULL;
342     }
343 #ifdef CONFIG_VNC_SASL
344     if (client->sasl.conn && client->sasl.username) {
345         info->has_sasl_username = true;
346         info->sasl_username = g_strdup(client->sasl.username);
347     }
348 #endif
349 
350     return info;
351 }
352 
353 static VncDisplay *vnc_display_find(const char *id)
354 {
355     VncDisplay *vd;
356 
357     if (id == NULL) {
358         return QTAILQ_FIRST(&vnc_displays);
359     }
360     QTAILQ_FOREACH(vd, &vnc_displays, next) {
361         if (strcmp(id, vd->id) == 0) {
362             return vd;
363         }
364     }
365     return NULL;
366 }
367 
368 static VncClientInfoList *qmp_query_client_list(VncDisplay *vd)
369 {
370     VncClientInfoList *prev = NULL;
371     VncState *client;
372 
373     QTAILQ_FOREACH(client, &vd->clients, next) {
374         QAPI_LIST_PREPEND(prev, qmp_query_vnc_client(client));
375     }
376     return prev;
377 }
378 
379 VncInfo *qmp_query_vnc(Error **errp)
380 {
381     VncInfo *info = g_malloc0(sizeof(*info));
382     VncDisplay *vd = vnc_display_find(NULL);
383     SocketAddress *addr = NULL;
384 
385     if (vd == NULL || !vd->listener || !vd->listener->nsioc) {
386         info->enabled = false;
387     } else {
388         info->enabled = true;
389 
390         /* for compatibility with the original command */
391         info->has_clients = true;
392         info->clients = qmp_query_client_list(vd);
393 
394         addr = qio_channel_socket_get_local_address(vd->listener->sioc[0],
395                                                     errp);
396         if (!addr) {
397             goto out_error;
398         }
399 
400         switch (addr->type) {
401         case SOCKET_ADDRESS_TYPE_INET:
402             info->host = g_strdup(addr->u.inet.host);
403             info->service = g_strdup(addr->u.inet.port);
404             if (addr->u.inet.ipv6) {
405                 info->family = NETWORK_ADDRESS_FAMILY_IPV6;
406             } else {
407                 info->family = NETWORK_ADDRESS_FAMILY_IPV4;
408             }
409             break;
410 
411         case SOCKET_ADDRESS_TYPE_UNIX:
412             info->host = g_strdup("");
413             info->service = g_strdup(addr->u.q_unix.path);
414             info->family = NETWORK_ADDRESS_FAMILY_UNIX;
415             break;
416 
417         case SOCKET_ADDRESS_TYPE_VSOCK:
418         case SOCKET_ADDRESS_TYPE_FD:
419             error_setg(errp, "Unsupported socket address type %s",
420                        SocketAddressType_str(addr->type));
421             goto out_error;
422         default:
423             abort();
424         }
425 
426         info->has_host = true;
427         info->has_service = true;
428         info->has_family = true;
429 
430         info->has_auth = true;
431         info->auth = g_strdup(vnc_auth_name(vd));
432     }
433 
434     qapi_free_SocketAddress(addr);
435     return info;
436 
437 out_error:
438     qapi_free_SocketAddress(addr);
439     qapi_free_VncInfo(info);
440     return NULL;
441 }
442 
443 
444 static void qmp_query_auth(int auth, int subauth,
445                            VncPrimaryAuth *qmp_auth,
446                            VncVencryptSubAuth *qmp_vencrypt,
447                            bool *qmp_has_vencrypt);
448 
449 static VncServerInfo2List *qmp_query_server_entry(QIOChannelSocket *ioc,
450                                                   bool websocket,
451                                                   int auth,
452                                                   int subauth,
453                                                   VncServerInfo2List *prev)
454 {
455     VncServerInfo2 *info;
456     Error *err = NULL;
457     SocketAddress *addr;
458 
459     addr = qio_channel_socket_get_local_address(ioc, NULL);
460     if (!addr) {
461         return prev;
462     }
463 
464     info = g_new0(VncServerInfo2, 1);
465     vnc_init_basic_info(addr, qapi_VncServerInfo2_base(info), &err);
466     qapi_free_SocketAddress(addr);
467     if (err) {
468         qapi_free_VncServerInfo2(info);
469         error_free(err);
470         return prev;
471     }
472     info->websocket = websocket;
473 
474     qmp_query_auth(auth, subauth, &info->auth,
475                    &info->vencrypt, &info->has_vencrypt);
476 
477     QAPI_LIST_PREPEND(prev, info);
478     return prev;
479 }
480 
481 static void qmp_query_auth(int auth, int subauth,
482                            VncPrimaryAuth *qmp_auth,
483                            VncVencryptSubAuth *qmp_vencrypt,
484                            bool *qmp_has_vencrypt)
485 {
486     switch (auth) {
487     case VNC_AUTH_VNC:
488         *qmp_auth = VNC_PRIMARY_AUTH_VNC;
489         break;
490     case VNC_AUTH_RA2:
491         *qmp_auth = VNC_PRIMARY_AUTH_RA2;
492         break;
493     case VNC_AUTH_RA2NE:
494         *qmp_auth = VNC_PRIMARY_AUTH_RA2NE;
495         break;
496     case VNC_AUTH_TIGHT:
497         *qmp_auth = VNC_PRIMARY_AUTH_TIGHT;
498         break;
499     case VNC_AUTH_ULTRA:
500         *qmp_auth = VNC_PRIMARY_AUTH_ULTRA;
501         break;
502     case VNC_AUTH_TLS:
503         *qmp_auth = VNC_PRIMARY_AUTH_TLS;
504         break;
505     case VNC_AUTH_VENCRYPT:
506         *qmp_auth = VNC_PRIMARY_AUTH_VENCRYPT;
507         *qmp_has_vencrypt = true;
508         switch (subauth) {
509         case VNC_AUTH_VENCRYPT_PLAIN:
510             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_PLAIN;
511             break;
512         case VNC_AUTH_VENCRYPT_TLSNONE:
513             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_NONE;
514             break;
515         case VNC_AUTH_VENCRYPT_TLSVNC:
516             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_VNC;
517             break;
518         case VNC_AUTH_VENCRYPT_TLSPLAIN:
519             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_PLAIN;
520             break;
521         case VNC_AUTH_VENCRYPT_X509NONE:
522             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_NONE;
523             break;
524         case VNC_AUTH_VENCRYPT_X509VNC:
525             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_VNC;
526             break;
527         case VNC_AUTH_VENCRYPT_X509PLAIN:
528             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_PLAIN;
529             break;
530         case VNC_AUTH_VENCRYPT_TLSSASL:
531             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_SASL;
532             break;
533         case VNC_AUTH_VENCRYPT_X509SASL:
534             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_SASL;
535             break;
536         default:
537             *qmp_has_vencrypt = false;
538             break;
539         }
540         break;
541     case VNC_AUTH_SASL:
542         *qmp_auth = VNC_PRIMARY_AUTH_SASL;
543         break;
544     case VNC_AUTH_NONE:
545     default:
546         *qmp_auth = VNC_PRIMARY_AUTH_NONE;
547         break;
548     }
549 }
550 
551 VncInfo2List *qmp_query_vnc_servers(Error **errp)
552 {
553     VncInfo2List *prev = NULL;
554     VncInfo2 *info;
555     VncDisplay *vd;
556     DeviceState *dev;
557     size_t i;
558 
559     QTAILQ_FOREACH(vd, &vnc_displays, next) {
560         info = g_new0(VncInfo2, 1);
561         info->id = g_strdup(vd->id);
562         info->clients = qmp_query_client_list(vd);
563         qmp_query_auth(vd->auth, vd->subauth, &info->auth,
564                        &info->vencrypt, &info->has_vencrypt);
565         if (vd->dcl.con) {
566             dev = DEVICE(object_property_get_link(OBJECT(vd->dcl.con),
567                                                   "device", &error_abort));
568             info->has_display = true;
569             info->display = g_strdup(dev->id);
570         }
571         for (i = 0; vd->listener != NULL && i < vd->listener->nsioc; i++) {
572             info->server = qmp_query_server_entry(
573                 vd->listener->sioc[i], false, vd->auth, vd->subauth,
574                 info->server);
575         }
576         for (i = 0; vd->wslistener != NULL && i < vd->wslistener->nsioc; i++) {
577             info->server = qmp_query_server_entry(
578                 vd->wslistener->sioc[i], true, vd->ws_auth,
579                 vd->ws_subauth, info->server);
580         }
581 
582         QAPI_LIST_PREPEND(prev, info);
583     }
584     return prev;
585 }
586 
587 /* TODO
588    1) Get the queue working for IO.
589    2) there is some weirdness when using the -S option (the screen is grey
590       and not totally invalidated
591    3) resolutions > 1024
592 */
593 
594 static int vnc_update_client(VncState *vs, int has_dirty);
595 static void vnc_disconnect_start(VncState *vs);
596 
597 static void vnc_colordepth(VncState *vs);
598 static void framebuffer_update_request(VncState *vs, int incremental,
599                                        int x_position, int y_position,
600                                        int w, int h);
601 static void vnc_refresh(DisplayChangeListener *dcl);
602 static int vnc_refresh_server_surface(VncDisplay *vd);
603 
604 static int vnc_width(VncDisplay *vd)
605 {
606     return MIN(VNC_MAX_WIDTH, ROUND_UP(surface_width(vd->ds),
607                                        VNC_DIRTY_PIXELS_PER_BIT));
608 }
609 
610 static int vnc_height(VncDisplay *vd)
611 {
612     return MIN(VNC_MAX_HEIGHT, surface_height(vd->ds));
613 }
614 
615 static void vnc_set_area_dirty(DECLARE_BITMAP(dirty[VNC_MAX_HEIGHT],
616                                VNC_MAX_WIDTH / VNC_DIRTY_PIXELS_PER_BIT),
617                                VncDisplay *vd,
618                                int x, int y, int w, int h)
619 {
620     int width = vnc_width(vd);
621     int height = vnc_height(vd);
622 
623     /* this is needed this to ensure we updated all affected
624      * blocks if x % VNC_DIRTY_PIXELS_PER_BIT != 0 */
625     w += (x % VNC_DIRTY_PIXELS_PER_BIT);
626     x -= (x % VNC_DIRTY_PIXELS_PER_BIT);
627 
628     x = MIN(x, width);
629     y = MIN(y, height);
630     w = MIN(x + w, width) - x;
631     h = MIN(y + h, height);
632 
633     for (; y < h; y++) {
634         bitmap_set(dirty[y], x / VNC_DIRTY_PIXELS_PER_BIT,
635                    DIV_ROUND_UP(w, VNC_DIRTY_PIXELS_PER_BIT));
636     }
637 }
638 
639 static void vnc_dpy_update(DisplayChangeListener *dcl,
640                            int x, int y, int w, int h)
641 {
642     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
643     struct VncSurface *s = &vd->guest;
644 
645     vnc_set_area_dirty(s->dirty, vd, x, y, w, h);
646 }
647 
648 void vnc_framebuffer_update(VncState *vs, int x, int y, int w, int h,
649                             int32_t encoding)
650 {
651     vnc_write_u16(vs, x);
652     vnc_write_u16(vs, y);
653     vnc_write_u16(vs, w);
654     vnc_write_u16(vs, h);
655 
656     vnc_write_s32(vs, encoding);
657 }
658 
659 static void vnc_desktop_resize_ext(VncState *vs, int reject_reason)
660 {
661     vnc_lock_output(vs);
662     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
663     vnc_write_u8(vs, 0);
664     vnc_write_u16(vs, 1); /* number of rects */
665     vnc_framebuffer_update(vs,
666                            reject_reason ? 1 : 0,
667                            reject_reason,
668                            vs->client_width, vs->client_height,
669                            VNC_ENCODING_DESKTOP_RESIZE_EXT);
670     vnc_write_u8(vs, 1);  /* number of screens */
671     vnc_write_u8(vs, 0);  /* padding */
672     vnc_write_u8(vs, 0);  /* padding */
673     vnc_write_u8(vs, 0);  /* padding */
674     vnc_write_u32(vs, 0); /* screen id */
675     vnc_write_u16(vs, 0); /* screen x-pos */
676     vnc_write_u16(vs, 0); /* screen y-pos */
677     vnc_write_u16(vs, vs->client_width);
678     vnc_write_u16(vs, vs->client_height);
679     vnc_write_u32(vs, 0); /* screen flags */
680     vnc_unlock_output(vs);
681     vnc_flush(vs);
682 }
683 
684 static void vnc_desktop_resize(VncState *vs)
685 {
686     if (vs->ioc == NULL || (!vnc_has_feature(vs, VNC_FEATURE_RESIZE) &&
687                             !vnc_has_feature(vs, VNC_FEATURE_RESIZE_EXT))) {
688         return;
689     }
690     if (vs->client_width == pixman_image_get_width(vs->vd->server) &&
691         vs->client_height == pixman_image_get_height(vs->vd->server)) {
692         return;
693     }
694 
695     assert(pixman_image_get_width(vs->vd->server) < 65536 &&
696            pixman_image_get_width(vs->vd->server) >= 0);
697     assert(pixman_image_get_height(vs->vd->server) < 65536 &&
698            pixman_image_get_height(vs->vd->server) >= 0);
699     vs->client_width = pixman_image_get_width(vs->vd->server);
700     vs->client_height = pixman_image_get_height(vs->vd->server);
701 
702     if (vnc_has_feature(vs, VNC_FEATURE_RESIZE_EXT)) {
703         vnc_desktop_resize_ext(vs, 0);
704         return;
705     }
706 
707     vnc_lock_output(vs);
708     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
709     vnc_write_u8(vs, 0);
710     vnc_write_u16(vs, 1); /* number of rects */
711     vnc_framebuffer_update(vs, 0, 0, vs->client_width, vs->client_height,
712                            VNC_ENCODING_DESKTOPRESIZE);
713     vnc_unlock_output(vs);
714     vnc_flush(vs);
715 }
716 
717 static void vnc_abort_display_jobs(VncDisplay *vd)
718 {
719     VncState *vs;
720 
721     QTAILQ_FOREACH(vs, &vd->clients, next) {
722         vnc_lock_output(vs);
723         vs->abort = true;
724         vnc_unlock_output(vs);
725     }
726     QTAILQ_FOREACH(vs, &vd->clients, next) {
727         vnc_jobs_join(vs);
728     }
729     QTAILQ_FOREACH(vs, &vd->clients, next) {
730         vnc_lock_output(vs);
731         if (vs->update == VNC_STATE_UPDATE_NONE &&
732             vs->job_update != VNC_STATE_UPDATE_NONE) {
733             /* job aborted before completion */
734             vs->update = vs->job_update;
735             vs->job_update = VNC_STATE_UPDATE_NONE;
736         }
737         vs->abort = false;
738         vnc_unlock_output(vs);
739     }
740 }
741 
742 int vnc_server_fb_stride(VncDisplay *vd)
743 {
744     return pixman_image_get_stride(vd->server);
745 }
746 
747 void *vnc_server_fb_ptr(VncDisplay *vd, int x, int y)
748 {
749     uint8_t *ptr;
750 
751     ptr  = (uint8_t *)pixman_image_get_data(vd->server);
752     ptr += y * vnc_server_fb_stride(vd);
753     ptr += x * VNC_SERVER_FB_BYTES;
754     return ptr;
755 }
756 
757 static void vnc_update_server_surface(VncDisplay *vd)
758 {
759     int width, height;
760 
761     qemu_pixman_image_unref(vd->server);
762     vd->server = NULL;
763 
764     if (QTAILQ_EMPTY(&vd->clients)) {
765         return;
766     }
767 
768     width = vnc_width(vd);
769     height = vnc_height(vd);
770     vd->server = pixman_image_create_bits(VNC_SERVER_FB_FORMAT,
771                                           width, height,
772                                           NULL, 0);
773 
774     memset(vd->guest.dirty, 0x00, sizeof(vd->guest.dirty));
775     vnc_set_area_dirty(vd->guest.dirty, vd, 0, 0,
776                        width, height);
777 }
778 
779 static bool vnc_check_pageflip(DisplaySurface *s1,
780                                DisplaySurface *s2)
781 {
782     return (s1 != NULL &&
783             s2 != NULL &&
784             surface_width(s1) == surface_width(s2) &&
785             surface_height(s1) == surface_height(s2) &&
786             surface_format(s1) == surface_format(s2));
787 
788 }
789 
790 static void vnc_dpy_switch(DisplayChangeListener *dcl,
791                            DisplaySurface *surface)
792 {
793     static const char placeholder_msg[] =
794         "Display output is not active.";
795     static DisplaySurface *placeholder;
796     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
797     bool pageflip = vnc_check_pageflip(vd->ds, surface);
798     VncState *vs;
799 
800     if (surface == NULL) {
801         if (placeholder == NULL) {
802             placeholder = qemu_create_message_surface(640, 480, placeholder_msg);
803         }
804         surface = placeholder;
805     }
806 
807     vnc_abort_display_jobs(vd);
808     vd->ds = surface;
809 
810     /* guest surface */
811     qemu_pixman_image_unref(vd->guest.fb);
812     vd->guest.fb = pixman_image_ref(surface->image);
813     vd->guest.format = surface->format;
814 
815     if (pageflip) {
816         vnc_set_area_dirty(vd->guest.dirty, vd, 0, 0,
817                            surface_width(surface),
818                            surface_height(surface));
819         return;
820     }
821 
822     /* server surface */
823     vnc_update_server_surface(vd);
824 
825     QTAILQ_FOREACH(vs, &vd->clients, next) {
826         vnc_colordepth(vs);
827         vnc_desktop_resize(vs);
828         vnc_cursor_define(vs);
829         memset(vs->dirty, 0x00, sizeof(vs->dirty));
830         vnc_set_area_dirty(vs->dirty, vd, 0, 0,
831                            vnc_width(vd),
832                            vnc_height(vd));
833         vnc_update_throttle_offset(vs);
834     }
835 }
836 
837 /* fastest code */
838 static void vnc_write_pixels_copy(VncState *vs,
839                                   void *pixels, int size)
840 {
841     vnc_write(vs, pixels, size);
842 }
843 
844 /* slowest but generic code. */
845 void vnc_convert_pixel(VncState *vs, uint8_t *buf, uint32_t v)
846 {
847     uint8_t r, g, b;
848 
849 #if VNC_SERVER_FB_FORMAT == PIXMAN_FORMAT(32, PIXMAN_TYPE_ARGB, 0, 8, 8, 8)
850     r = (((v & 0x00ff0000) >> 16) << vs->client_pf.rbits) >> 8;
851     g = (((v & 0x0000ff00) >>  8) << vs->client_pf.gbits) >> 8;
852     b = (((v & 0x000000ff) >>  0) << vs->client_pf.bbits) >> 8;
853 #else
854 # error need some bits here if you change VNC_SERVER_FB_FORMAT
855 #endif
856     v = (r << vs->client_pf.rshift) |
857         (g << vs->client_pf.gshift) |
858         (b << vs->client_pf.bshift);
859     switch (vs->client_pf.bytes_per_pixel) {
860     case 1:
861         buf[0] = v;
862         break;
863     case 2:
864         if (vs->client_be) {
865             buf[0] = v >> 8;
866             buf[1] = v;
867         } else {
868             buf[1] = v >> 8;
869             buf[0] = v;
870         }
871         break;
872     default:
873     case 4:
874         if (vs->client_be) {
875             buf[0] = v >> 24;
876             buf[1] = v >> 16;
877             buf[2] = v >> 8;
878             buf[3] = v;
879         } else {
880             buf[3] = v >> 24;
881             buf[2] = v >> 16;
882             buf[1] = v >> 8;
883             buf[0] = v;
884         }
885         break;
886     }
887 }
888 
889 static void vnc_write_pixels_generic(VncState *vs,
890                                      void *pixels1, int size)
891 {
892     uint8_t buf[4];
893 
894     if (VNC_SERVER_FB_BYTES == 4) {
895         uint32_t *pixels = pixels1;
896         int n, i;
897         n = size >> 2;
898         for (i = 0; i < n; i++) {
899             vnc_convert_pixel(vs, buf, pixels[i]);
900             vnc_write(vs, buf, vs->client_pf.bytes_per_pixel);
901         }
902     }
903 }
904 
905 int vnc_raw_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
906 {
907     int i;
908     uint8_t *row;
909     VncDisplay *vd = vs->vd;
910 
911     row = vnc_server_fb_ptr(vd, x, y);
912     for (i = 0; i < h; i++) {
913         vs->write_pixels(vs, row, w * VNC_SERVER_FB_BYTES);
914         row += vnc_server_fb_stride(vd);
915     }
916     return 1;
917 }
918 
919 int vnc_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
920 {
921     int n = 0;
922 
923     switch(vs->vnc_encoding) {
924         case VNC_ENCODING_ZLIB:
925             n = vnc_zlib_send_framebuffer_update(vs, x, y, w, h);
926             break;
927         case VNC_ENCODING_HEXTILE:
928             vnc_framebuffer_update(vs, x, y, w, h, VNC_ENCODING_HEXTILE);
929             n = vnc_hextile_send_framebuffer_update(vs, x, y, w, h);
930             break;
931         case VNC_ENCODING_TIGHT:
932             n = vnc_tight_send_framebuffer_update(vs, x, y, w, h);
933             break;
934         case VNC_ENCODING_TIGHT_PNG:
935             n = vnc_tight_png_send_framebuffer_update(vs, x, y, w, h);
936             break;
937         case VNC_ENCODING_ZRLE:
938             n = vnc_zrle_send_framebuffer_update(vs, x, y, w, h);
939             break;
940         case VNC_ENCODING_ZYWRLE:
941             n = vnc_zywrle_send_framebuffer_update(vs, x, y, w, h);
942             break;
943         default:
944             vnc_framebuffer_update(vs, x, y, w, h, VNC_ENCODING_RAW);
945             n = vnc_raw_send_framebuffer_update(vs, x, y, w, h);
946             break;
947     }
948     return n;
949 }
950 
951 static void vnc_mouse_set(DisplayChangeListener *dcl,
952                           int x, int y, int visible)
953 {
954     /* can we ask the client(s) to move the pointer ??? */
955 }
956 
957 static int vnc_cursor_define(VncState *vs)
958 {
959     QEMUCursor *c = vs->vd->cursor;
960     int isize;
961 
962     if (!vs->vd->cursor) {
963         return -1;
964     }
965 
966     if (vnc_has_feature(vs, VNC_FEATURE_ALPHA_CURSOR)) {
967         vnc_lock_output(vs);
968         vnc_write_u8(vs,  VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
969         vnc_write_u8(vs,  0);  /*  padding     */
970         vnc_write_u16(vs, 1);  /*  # of rects  */
971         vnc_framebuffer_update(vs, c->hot_x, c->hot_y, c->width, c->height,
972                                VNC_ENCODING_ALPHA_CURSOR);
973         vnc_write_s32(vs, VNC_ENCODING_RAW);
974         vnc_write(vs, c->data, c->width * c->height * 4);
975         vnc_unlock_output(vs);
976         return 0;
977     }
978     if (vnc_has_feature(vs, VNC_FEATURE_RICH_CURSOR)) {
979         vnc_lock_output(vs);
980         vnc_write_u8(vs,  VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
981         vnc_write_u8(vs,  0);  /*  padding     */
982         vnc_write_u16(vs, 1);  /*  # of rects  */
983         vnc_framebuffer_update(vs, c->hot_x, c->hot_y, c->width, c->height,
984                                VNC_ENCODING_RICH_CURSOR);
985         isize = c->width * c->height * vs->client_pf.bytes_per_pixel;
986         vnc_write_pixels_generic(vs, c->data, isize);
987         vnc_write(vs, vs->vd->cursor_mask, vs->vd->cursor_msize);
988         vnc_unlock_output(vs);
989         return 0;
990     }
991     return -1;
992 }
993 
994 static void vnc_dpy_cursor_define(DisplayChangeListener *dcl,
995                                   QEMUCursor *c)
996 {
997     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
998     VncState *vs;
999 
1000     cursor_put(vd->cursor);
1001     g_free(vd->cursor_mask);
1002 
1003     vd->cursor = c;
1004     cursor_get(vd->cursor);
1005     vd->cursor_msize = cursor_get_mono_bpl(c) * c->height;
1006     vd->cursor_mask = g_malloc0(vd->cursor_msize);
1007     cursor_get_mono_mask(c, 0, vd->cursor_mask);
1008 
1009     QTAILQ_FOREACH(vs, &vd->clients, next) {
1010         vnc_cursor_define(vs);
1011     }
1012 }
1013 
1014 static int find_and_clear_dirty_height(VncState *vs,
1015                                        int y, int last_x, int x, int height)
1016 {
1017     int h;
1018 
1019     for (h = 1; h < (height - y); h++) {
1020         if (!test_bit(last_x, vs->dirty[y + h])) {
1021             break;
1022         }
1023         bitmap_clear(vs->dirty[y + h], last_x, x - last_x);
1024     }
1025 
1026     return h;
1027 }
1028 
1029 /*
1030  * Figure out how much pending data we should allow in the output
1031  * buffer before we throttle incremental display updates, and/or
1032  * drop audio samples.
1033  *
1034  * We allow for equiv of 1 full display's worth of FB updates,
1035  * and 1 second of audio samples. If audio backlog was larger
1036  * than that the client would already suffering awful audio
1037  * glitches, so dropping samples is no worse really).
1038  */
1039 static void vnc_update_throttle_offset(VncState *vs)
1040 {
1041     size_t offset =
1042         vs->client_width * vs->client_height * vs->client_pf.bytes_per_pixel;
1043 
1044     if (vs->audio_cap) {
1045         int bps;
1046         switch (vs->as.fmt) {
1047         default:
1048         case  AUDIO_FORMAT_U8:
1049         case  AUDIO_FORMAT_S8:
1050             bps = 1;
1051             break;
1052         case  AUDIO_FORMAT_U16:
1053         case  AUDIO_FORMAT_S16:
1054             bps = 2;
1055             break;
1056         case  AUDIO_FORMAT_U32:
1057         case  AUDIO_FORMAT_S32:
1058             bps = 4;
1059             break;
1060         }
1061         offset += vs->as.freq * bps * vs->as.nchannels;
1062     }
1063 
1064     /* Put a floor of 1MB on offset, so that if we have a large pending
1065      * buffer and the display is resized to a small size & back again
1066      * we don't suddenly apply a tiny send limit
1067      */
1068     offset = MAX(offset, 1024 * 1024);
1069 
1070     if (vs->throttle_output_offset != offset) {
1071         trace_vnc_client_throttle_threshold(
1072             vs, vs->ioc, vs->throttle_output_offset, offset, vs->client_width,
1073             vs->client_height, vs->client_pf.bytes_per_pixel, vs->audio_cap);
1074     }
1075 
1076     vs->throttle_output_offset = offset;
1077 }
1078 
1079 static bool vnc_should_update(VncState *vs)
1080 {
1081     switch (vs->update) {
1082     case VNC_STATE_UPDATE_NONE:
1083         break;
1084     case VNC_STATE_UPDATE_INCREMENTAL:
1085         /* Only allow incremental updates if the pending send queue
1086          * is less than the permitted threshold, and the job worker
1087          * is completely idle.
1088          */
1089         if (vs->output.offset < vs->throttle_output_offset &&
1090             vs->job_update == VNC_STATE_UPDATE_NONE) {
1091             return true;
1092         }
1093         trace_vnc_client_throttle_incremental(
1094             vs, vs->ioc, vs->job_update, vs->output.offset);
1095         break;
1096     case VNC_STATE_UPDATE_FORCE:
1097         /* Only allow forced updates if the pending send queue
1098          * does not contain a previous forced update, and the
1099          * job worker is completely idle.
1100          *
1101          * Note this means we'll queue a forced update, even if
1102          * the output buffer size is otherwise over the throttle
1103          * output limit.
1104          */
1105         if (vs->force_update_offset == 0 &&
1106             vs->job_update == VNC_STATE_UPDATE_NONE) {
1107             return true;
1108         }
1109         trace_vnc_client_throttle_forced(
1110             vs, vs->ioc, vs->job_update, vs->force_update_offset);
1111         break;
1112     }
1113     return false;
1114 }
1115 
1116 static int vnc_update_client(VncState *vs, int has_dirty)
1117 {
1118     VncDisplay *vd = vs->vd;
1119     VncJob *job;
1120     int y;
1121     int height, width;
1122     int n = 0;
1123 
1124     if (vs->disconnecting) {
1125         vnc_disconnect_finish(vs);
1126         return 0;
1127     }
1128 
1129     vs->has_dirty += has_dirty;
1130     if (!vnc_should_update(vs)) {
1131         return 0;
1132     }
1133 
1134     if (!vs->has_dirty && vs->update != VNC_STATE_UPDATE_FORCE) {
1135         return 0;
1136     }
1137 
1138     /*
1139      * Send screen updates to the vnc client using the server
1140      * surface and server dirty map.  guest surface updates
1141      * happening in parallel don't disturb us, the next pass will
1142      * send them to the client.
1143      */
1144     job = vnc_job_new(vs);
1145 
1146     height = pixman_image_get_height(vd->server);
1147     width = pixman_image_get_width(vd->server);
1148 
1149     y = 0;
1150     for (;;) {
1151         int x, h;
1152         unsigned long x2;
1153         unsigned long offset = find_next_bit((unsigned long *) &vs->dirty,
1154                                              height * VNC_DIRTY_BPL(vs),
1155                                              y * VNC_DIRTY_BPL(vs));
1156         if (offset == height * VNC_DIRTY_BPL(vs)) {
1157             /* no more dirty bits */
1158             break;
1159         }
1160         y = offset / VNC_DIRTY_BPL(vs);
1161         x = offset % VNC_DIRTY_BPL(vs);
1162         x2 = find_next_zero_bit((unsigned long *) &vs->dirty[y],
1163                                 VNC_DIRTY_BPL(vs), x);
1164         bitmap_clear(vs->dirty[y], x, x2 - x);
1165         h = find_and_clear_dirty_height(vs, y, x, x2, height);
1166         x2 = MIN(x2, width / VNC_DIRTY_PIXELS_PER_BIT);
1167         if (x2 > x) {
1168             n += vnc_job_add_rect(job, x * VNC_DIRTY_PIXELS_PER_BIT, y,
1169                                   (x2 - x) * VNC_DIRTY_PIXELS_PER_BIT, h);
1170         }
1171         if (!x && x2 == width / VNC_DIRTY_PIXELS_PER_BIT) {
1172             y += h;
1173             if (y == height) {
1174                 break;
1175             }
1176         }
1177     }
1178 
1179     vs->job_update = vs->update;
1180     vs->update = VNC_STATE_UPDATE_NONE;
1181     vnc_job_push(job);
1182     vs->has_dirty = 0;
1183     return n;
1184 }
1185 
1186 /* audio */
1187 static void audio_capture_notify(void *opaque, audcnotification_e cmd)
1188 {
1189     VncState *vs = opaque;
1190 
1191     assert(vs->magic == VNC_MAGIC);
1192     switch (cmd) {
1193     case AUD_CNOTIFY_DISABLE:
1194         vnc_lock_output(vs);
1195         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
1196         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
1197         vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_END);
1198         vnc_unlock_output(vs);
1199         vnc_flush(vs);
1200         break;
1201 
1202     case AUD_CNOTIFY_ENABLE:
1203         vnc_lock_output(vs);
1204         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
1205         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
1206         vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_BEGIN);
1207         vnc_unlock_output(vs);
1208         vnc_flush(vs);
1209         break;
1210     }
1211 }
1212 
1213 static void audio_capture_destroy(void *opaque)
1214 {
1215 }
1216 
1217 static void audio_capture(void *opaque, const void *buf, int size)
1218 {
1219     VncState *vs = opaque;
1220 
1221     assert(vs->magic == VNC_MAGIC);
1222     vnc_lock_output(vs);
1223     if (vs->output.offset < vs->throttle_output_offset) {
1224         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
1225         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
1226         vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_DATA);
1227         vnc_write_u32(vs, size);
1228         vnc_write(vs, buf, size);
1229     } else {
1230         trace_vnc_client_throttle_audio(vs, vs->ioc, vs->output.offset);
1231     }
1232     vnc_unlock_output(vs);
1233     vnc_flush(vs);
1234 }
1235 
1236 static void audio_add(VncState *vs)
1237 {
1238     struct audio_capture_ops ops;
1239 
1240     if (vs->audio_cap) {
1241         error_report("audio already running");
1242         return;
1243     }
1244 
1245     ops.notify = audio_capture_notify;
1246     ops.destroy = audio_capture_destroy;
1247     ops.capture = audio_capture;
1248 
1249     vs->audio_cap = AUD_add_capture(vs->vd->audio_state, &vs->as, &ops, vs);
1250     if (!vs->audio_cap) {
1251         error_report("Failed to add audio capture");
1252     }
1253 }
1254 
1255 static void audio_del(VncState *vs)
1256 {
1257     if (vs->audio_cap) {
1258         AUD_del_capture(vs->audio_cap, vs);
1259         vs->audio_cap = NULL;
1260     }
1261 }
1262 
1263 static void vnc_disconnect_start(VncState *vs)
1264 {
1265     if (vs->disconnecting) {
1266         return;
1267     }
1268     trace_vnc_client_disconnect_start(vs, vs->ioc);
1269     vnc_set_share_mode(vs, VNC_SHARE_MODE_DISCONNECTED);
1270     if (vs->ioc_tag) {
1271         g_source_remove(vs->ioc_tag);
1272         vs->ioc_tag = 0;
1273     }
1274     qio_channel_close(vs->ioc, NULL);
1275     vs->disconnecting = TRUE;
1276 }
1277 
1278 void vnc_disconnect_finish(VncState *vs)
1279 {
1280     int i;
1281 
1282     trace_vnc_client_disconnect_finish(vs, vs->ioc);
1283 
1284     vnc_jobs_join(vs); /* Wait encoding jobs */
1285 
1286     vnc_lock_output(vs);
1287     vnc_qmp_event(vs, QAPI_EVENT_VNC_DISCONNECTED);
1288 
1289     buffer_free(&vs->input);
1290     buffer_free(&vs->output);
1291 
1292     qapi_free_VncClientInfo(vs->info);
1293 
1294     vnc_zlib_clear(vs);
1295     vnc_tight_clear(vs);
1296     vnc_zrle_clear(vs);
1297 
1298 #ifdef CONFIG_VNC_SASL
1299     vnc_sasl_client_cleanup(vs);
1300 #endif /* CONFIG_VNC_SASL */
1301     audio_del(vs);
1302     qkbd_state_lift_all_keys(vs->vd->kbd);
1303 
1304     if (vs->mouse_mode_notifier.notify != NULL) {
1305         qemu_remove_mouse_mode_change_notifier(&vs->mouse_mode_notifier);
1306     }
1307     QTAILQ_REMOVE(&vs->vd->clients, vs, next);
1308     if (QTAILQ_EMPTY(&vs->vd->clients)) {
1309         /* last client gone */
1310         vnc_update_server_surface(vs->vd);
1311     }
1312 
1313     vnc_unlock_output(vs);
1314 
1315     qemu_mutex_destroy(&vs->output_mutex);
1316     if (vs->bh != NULL) {
1317         qemu_bh_delete(vs->bh);
1318     }
1319     buffer_free(&vs->jobs_buffer);
1320 
1321     for (i = 0; i < VNC_STAT_ROWS; ++i) {
1322         g_free(vs->lossy_rect[i]);
1323     }
1324     g_free(vs->lossy_rect);
1325 
1326     object_unref(OBJECT(vs->ioc));
1327     vs->ioc = NULL;
1328     object_unref(OBJECT(vs->sioc));
1329     vs->sioc = NULL;
1330     vs->magic = 0;
1331     g_free(vs->zrle);
1332     g_free(vs->tight);
1333     g_free(vs);
1334 }
1335 
1336 size_t vnc_client_io_error(VncState *vs, ssize_t ret, Error *err)
1337 {
1338     if (ret <= 0) {
1339         if (ret == 0) {
1340             trace_vnc_client_eof(vs, vs->ioc);
1341             vnc_disconnect_start(vs);
1342         } else if (ret != QIO_CHANNEL_ERR_BLOCK) {
1343             trace_vnc_client_io_error(vs, vs->ioc,
1344                                       err ? error_get_pretty(err) : "Unknown");
1345             vnc_disconnect_start(vs);
1346         }
1347 
1348         error_free(err);
1349         return 0;
1350     }
1351     return ret;
1352 }
1353 
1354 
1355 void vnc_client_error(VncState *vs)
1356 {
1357     VNC_DEBUG("Closing down client sock: protocol error\n");
1358     vnc_disconnect_start(vs);
1359 }
1360 
1361 
1362 /*
1363  * Called to write a chunk of data to the client socket. The data may
1364  * be the raw data, or may have already been encoded by SASL.
1365  * The data will be written either straight onto the socket, or
1366  * written via the GNUTLS wrappers, if TLS/SSL encryption is enabled
1367  *
1368  * NB, it is theoretically possible to have 2 layers of encryption,
1369  * both SASL, and this TLS layer. It is highly unlikely in practice
1370  * though, since SASL encryption will typically be a no-op if TLS
1371  * is active
1372  *
1373  * Returns the number of bytes written, which may be less than
1374  * the requested 'datalen' if the socket would block. Returns
1375  * 0 on I/O error, and disconnects the client socket.
1376  */
1377 size_t vnc_client_write_buf(VncState *vs, const uint8_t *data, size_t datalen)
1378 {
1379     Error *err = NULL;
1380     ssize_t ret;
1381     ret = qio_channel_write(vs->ioc, (const char *)data, datalen, &err);
1382     VNC_DEBUG("Wrote wire %p %zd -> %ld\n", data, datalen, ret);
1383     return vnc_client_io_error(vs, ret, err);
1384 }
1385 
1386 
1387 /*
1388  * Called to write buffered data to the client socket, when not
1389  * using any SASL SSF encryption layers. Will write as much data
1390  * as possible without blocking. If all buffered data is written,
1391  * will switch the FD poll() handler back to read monitoring.
1392  *
1393  * Returns the number of bytes written, which may be less than
1394  * the buffered output data if the socket would block.  Returns
1395  * 0 on I/O error, and disconnects the client socket.
1396  */
1397 static size_t vnc_client_write_plain(VncState *vs)
1398 {
1399     size_t offset;
1400     size_t ret;
1401 
1402 #ifdef CONFIG_VNC_SASL
1403     VNC_DEBUG("Write Plain: Pending output %p size %zd offset %zd. Wait SSF %d\n",
1404               vs->output.buffer, vs->output.capacity, vs->output.offset,
1405               vs->sasl.waitWriteSSF);
1406 
1407     if (vs->sasl.conn &&
1408         vs->sasl.runSSF &&
1409         vs->sasl.waitWriteSSF) {
1410         ret = vnc_client_write_buf(vs, vs->output.buffer, vs->sasl.waitWriteSSF);
1411         if (ret)
1412             vs->sasl.waitWriteSSF -= ret;
1413     } else
1414 #endif /* CONFIG_VNC_SASL */
1415         ret = vnc_client_write_buf(vs, vs->output.buffer, vs->output.offset);
1416     if (!ret)
1417         return 0;
1418 
1419     if (ret >= vs->force_update_offset) {
1420         if (vs->force_update_offset != 0) {
1421             trace_vnc_client_unthrottle_forced(vs, vs->ioc);
1422         }
1423         vs->force_update_offset = 0;
1424     } else {
1425         vs->force_update_offset -= ret;
1426     }
1427     offset = vs->output.offset;
1428     buffer_advance(&vs->output, ret);
1429     if (offset >= vs->throttle_output_offset &&
1430         vs->output.offset < vs->throttle_output_offset) {
1431         trace_vnc_client_unthrottle_incremental(vs, vs->ioc, vs->output.offset);
1432     }
1433 
1434     if (vs->output.offset == 0) {
1435         if (vs->ioc_tag) {
1436             g_source_remove(vs->ioc_tag);
1437         }
1438         vs->ioc_tag = qio_channel_add_watch(
1439             vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR,
1440             vnc_client_io, vs, NULL);
1441     }
1442 
1443     return ret;
1444 }
1445 
1446 
1447 /*
1448  * First function called whenever there is data to be written to
1449  * the client socket. Will delegate actual work according to whether
1450  * SASL SSF layers are enabled (thus requiring encryption calls)
1451  */
1452 static void vnc_client_write_locked(VncState *vs)
1453 {
1454 #ifdef CONFIG_VNC_SASL
1455     if (vs->sasl.conn &&
1456         vs->sasl.runSSF &&
1457         !vs->sasl.waitWriteSSF) {
1458         vnc_client_write_sasl(vs);
1459     } else
1460 #endif /* CONFIG_VNC_SASL */
1461     {
1462         vnc_client_write_plain(vs);
1463     }
1464 }
1465 
1466 static void vnc_client_write(VncState *vs)
1467 {
1468     assert(vs->magic == VNC_MAGIC);
1469     vnc_lock_output(vs);
1470     if (vs->output.offset) {
1471         vnc_client_write_locked(vs);
1472     } else if (vs->ioc != NULL) {
1473         if (vs->ioc_tag) {
1474             g_source_remove(vs->ioc_tag);
1475         }
1476         vs->ioc_tag = qio_channel_add_watch(
1477             vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR,
1478             vnc_client_io, vs, NULL);
1479     }
1480     vnc_unlock_output(vs);
1481 }
1482 
1483 void vnc_read_when(VncState *vs, VncReadEvent *func, size_t expecting)
1484 {
1485     vs->read_handler = func;
1486     vs->read_handler_expect = expecting;
1487 }
1488 
1489 
1490 /*
1491  * Called to read a chunk of data from the client socket. The data may
1492  * be the raw data, or may need to be further decoded by SASL.
1493  * The data will be read either straight from to the socket, or
1494  * read via the GNUTLS wrappers, if TLS/SSL encryption is enabled
1495  *
1496  * NB, it is theoretically possible to have 2 layers of encryption,
1497  * both SASL, and this TLS layer. It is highly unlikely in practice
1498  * though, since SASL encryption will typically be a no-op if TLS
1499  * is active
1500  *
1501  * Returns the number of bytes read, which may be less than
1502  * the requested 'datalen' if the socket would block. Returns
1503  * 0 on I/O error or EOF, and disconnects the client socket.
1504  */
1505 size_t vnc_client_read_buf(VncState *vs, uint8_t *data, size_t datalen)
1506 {
1507     ssize_t ret;
1508     Error *err = NULL;
1509     ret = qio_channel_read(vs->ioc, (char *)data, datalen, &err);
1510     VNC_DEBUG("Read wire %p %zd -> %ld\n", data, datalen, ret);
1511     return vnc_client_io_error(vs, ret, err);
1512 }
1513 
1514 
1515 /*
1516  * Called to read data from the client socket to the input buffer,
1517  * when not using any SASL SSF encryption layers. Will read as much
1518  * data as possible without blocking.
1519  *
1520  * Returns the number of bytes read, which may be less than
1521  * the requested 'datalen' if the socket would block. Returns
1522  * 0 on I/O error or EOF, and disconnects the client socket.
1523  */
1524 static size_t vnc_client_read_plain(VncState *vs)
1525 {
1526     size_t ret;
1527     VNC_DEBUG("Read plain %p size %zd offset %zd\n",
1528               vs->input.buffer, vs->input.capacity, vs->input.offset);
1529     buffer_reserve(&vs->input, 4096);
1530     ret = vnc_client_read_buf(vs, buffer_end(&vs->input), 4096);
1531     if (!ret)
1532         return 0;
1533     vs->input.offset += ret;
1534     return ret;
1535 }
1536 
1537 static void vnc_jobs_bh(void *opaque)
1538 {
1539     VncState *vs = opaque;
1540 
1541     assert(vs->magic == VNC_MAGIC);
1542     vnc_jobs_consume_buffer(vs);
1543 }
1544 
1545 /*
1546  * First function called whenever there is more data to be read from
1547  * the client socket. Will delegate actual work according to whether
1548  * SASL SSF layers are enabled (thus requiring decryption calls)
1549  * Returns 0 on success, -1 if client disconnected
1550  */
1551 static int vnc_client_read(VncState *vs)
1552 {
1553     size_t ret;
1554 
1555 #ifdef CONFIG_VNC_SASL
1556     if (vs->sasl.conn && vs->sasl.runSSF)
1557         ret = vnc_client_read_sasl(vs);
1558     else
1559 #endif /* CONFIG_VNC_SASL */
1560         ret = vnc_client_read_plain(vs);
1561     if (!ret) {
1562         if (vs->disconnecting) {
1563             vnc_disconnect_finish(vs);
1564             return -1;
1565         }
1566         return 0;
1567     }
1568 
1569     while (vs->read_handler && vs->input.offset >= vs->read_handler_expect) {
1570         size_t len = vs->read_handler_expect;
1571         int ret;
1572 
1573         ret = vs->read_handler(vs, vs->input.buffer, len);
1574         if (vs->disconnecting) {
1575             vnc_disconnect_finish(vs);
1576             return -1;
1577         }
1578 
1579         if (!ret) {
1580             buffer_advance(&vs->input, len);
1581         } else {
1582             vs->read_handler_expect = ret;
1583         }
1584     }
1585     return 0;
1586 }
1587 
1588 gboolean vnc_client_io(QIOChannel *ioc G_GNUC_UNUSED,
1589                        GIOCondition condition, void *opaque)
1590 {
1591     VncState *vs = opaque;
1592 
1593     assert(vs->magic == VNC_MAGIC);
1594 
1595     if (condition & (G_IO_HUP | G_IO_ERR)) {
1596         vnc_disconnect_start(vs);
1597         return TRUE;
1598     }
1599 
1600     if (condition & G_IO_IN) {
1601         if (vnc_client_read(vs) < 0) {
1602             /* vs is free()ed here */
1603             return TRUE;
1604         }
1605     }
1606     if (condition & G_IO_OUT) {
1607         vnc_client_write(vs);
1608     }
1609 
1610     if (vs->disconnecting) {
1611         if (vs->ioc_tag != 0) {
1612             g_source_remove(vs->ioc_tag);
1613         }
1614         vs->ioc_tag = 0;
1615     }
1616     return TRUE;
1617 }
1618 
1619 
1620 /*
1621  * Scale factor to apply to vs->throttle_output_offset when checking for
1622  * hard limit. Worst case normal usage could be x2, if we have a complete
1623  * incremental update and complete forced update in the output buffer.
1624  * So x3 should be good enough, but we pick x5 to be conservative and thus
1625  * (hopefully) never trigger incorrectly.
1626  */
1627 #define VNC_THROTTLE_OUTPUT_LIMIT_SCALE 5
1628 
1629 void vnc_write(VncState *vs, const void *data, size_t len)
1630 {
1631     assert(vs->magic == VNC_MAGIC);
1632     if (vs->disconnecting) {
1633         return;
1634     }
1635     /* Protection against malicious client/guest to prevent our output
1636      * buffer growing without bound if client stops reading data. This
1637      * should rarely trigger, because we have earlier throttling code
1638      * which stops issuing framebuffer updates and drops audio data
1639      * if the throttle_output_offset value is exceeded. So we only reach
1640      * this higher level if a huge number of pseudo-encodings get
1641      * triggered while data can't be sent on the socket.
1642      *
1643      * NB throttle_output_offset can be zero during early protocol
1644      * handshake, or from the job thread's VncState clone
1645      */
1646     if (vs->throttle_output_offset != 0 &&
1647         (vs->output.offset / VNC_THROTTLE_OUTPUT_LIMIT_SCALE) >
1648         vs->throttle_output_offset) {
1649         trace_vnc_client_output_limit(vs, vs->ioc, vs->output.offset,
1650                                       vs->throttle_output_offset);
1651         vnc_disconnect_start(vs);
1652         return;
1653     }
1654     buffer_reserve(&vs->output, len);
1655 
1656     if (vs->ioc != NULL && buffer_empty(&vs->output)) {
1657         if (vs->ioc_tag) {
1658             g_source_remove(vs->ioc_tag);
1659         }
1660         vs->ioc_tag = qio_channel_add_watch(
1661             vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR | G_IO_OUT,
1662             vnc_client_io, vs, NULL);
1663     }
1664 
1665     buffer_append(&vs->output, data, len);
1666 }
1667 
1668 void vnc_write_s32(VncState *vs, int32_t value)
1669 {
1670     vnc_write_u32(vs, *(uint32_t *)&value);
1671 }
1672 
1673 void vnc_write_u32(VncState *vs, uint32_t value)
1674 {
1675     uint8_t buf[4];
1676 
1677     buf[0] = (value >> 24) & 0xFF;
1678     buf[1] = (value >> 16) & 0xFF;
1679     buf[2] = (value >>  8) & 0xFF;
1680     buf[3] = value & 0xFF;
1681 
1682     vnc_write(vs, buf, 4);
1683 }
1684 
1685 void vnc_write_u16(VncState *vs, uint16_t value)
1686 {
1687     uint8_t buf[2];
1688 
1689     buf[0] = (value >> 8) & 0xFF;
1690     buf[1] = value & 0xFF;
1691 
1692     vnc_write(vs, buf, 2);
1693 }
1694 
1695 void vnc_write_u8(VncState *vs, uint8_t value)
1696 {
1697     vnc_write(vs, (char *)&value, 1);
1698 }
1699 
1700 void vnc_flush(VncState *vs)
1701 {
1702     vnc_lock_output(vs);
1703     if (vs->ioc != NULL && vs->output.offset) {
1704         vnc_client_write_locked(vs);
1705     }
1706     if (vs->disconnecting) {
1707         if (vs->ioc_tag != 0) {
1708             g_source_remove(vs->ioc_tag);
1709         }
1710         vs->ioc_tag = 0;
1711     }
1712     vnc_unlock_output(vs);
1713 }
1714 
1715 static uint8_t read_u8(uint8_t *data, size_t offset)
1716 {
1717     return data[offset];
1718 }
1719 
1720 static uint16_t read_u16(uint8_t *data, size_t offset)
1721 {
1722     return ((data[offset] & 0xFF) << 8) | (data[offset + 1] & 0xFF);
1723 }
1724 
1725 static int32_t read_s32(uint8_t *data, size_t offset)
1726 {
1727     return (int32_t)((data[offset] << 24) | (data[offset + 1] << 16) |
1728                      (data[offset + 2] << 8) | data[offset + 3]);
1729 }
1730 
1731 uint32_t read_u32(uint8_t *data, size_t offset)
1732 {
1733     return ((data[offset] << 24) | (data[offset + 1] << 16) |
1734             (data[offset + 2] << 8) | data[offset + 3]);
1735 }
1736 
1737 static void client_cut_text(VncState *vs, size_t len, uint8_t *text)
1738 {
1739 }
1740 
1741 static void check_pointer_type_change(Notifier *notifier, void *data)
1742 {
1743     VncState *vs = container_of(notifier, VncState, mouse_mode_notifier);
1744     int absolute = qemu_input_is_absolute();
1745 
1746     if (vnc_has_feature(vs, VNC_FEATURE_POINTER_TYPE_CHANGE) && vs->absolute != absolute) {
1747         vnc_lock_output(vs);
1748         vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1749         vnc_write_u8(vs, 0);
1750         vnc_write_u16(vs, 1);
1751         vnc_framebuffer_update(vs, absolute, 0,
1752                                pixman_image_get_width(vs->vd->server),
1753                                pixman_image_get_height(vs->vd->server),
1754                                VNC_ENCODING_POINTER_TYPE_CHANGE);
1755         vnc_unlock_output(vs);
1756         vnc_flush(vs);
1757     }
1758     vs->absolute = absolute;
1759 }
1760 
1761 static void pointer_event(VncState *vs, int button_mask, int x, int y)
1762 {
1763     static uint32_t bmap[INPUT_BUTTON__MAX] = {
1764         [INPUT_BUTTON_LEFT]       = 0x01,
1765         [INPUT_BUTTON_MIDDLE]     = 0x02,
1766         [INPUT_BUTTON_RIGHT]      = 0x04,
1767         [INPUT_BUTTON_WHEEL_UP]   = 0x08,
1768         [INPUT_BUTTON_WHEEL_DOWN] = 0x10,
1769     };
1770     QemuConsole *con = vs->vd->dcl.con;
1771     int width = pixman_image_get_width(vs->vd->server);
1772     int height = pixman_image_get_height(vs->vd->server);
1773 
1774     if (vs->last_bmask != button_mask) {
1775         qemu_input_update_buttons(con, bmap, vs->last_bmask, button_mask);
1776         vs->last_bmask = button_mask;
1777     }
1778 
1779     if (vs->absolute) {
1780         qemu_input_queue_abs(con, INPUT_AXIS_X, x, 0, width);
1781         qemu_input_queue_abs(con, INPUT_AXIS_Y, y, 0, height);
1782     } else if (vnc_has_feature(vs, VNC_FEATURE_POINTER_TYPE_CHANGE)) {
1783         qemu_input_queue_rel(con, INPUT_AXIS_X, x - 0x7FFF);
1784         qemu_input_queue_rel(con, INPUT_AXIS_Y, y - 0x7FFF);
1785     } else {
1786         if (vs->last_x != -1) {
1787             qemu_input_queue_rel(con, INPUT_AXIS_X, x - vs->last_x);
1788             qemu_input_queue_rel(con, INPUT_AXIS_Y, y - vs->last_y);
1789         }
1790         vs->last_x = x;
1791         vs->last_y = y;
1792     }
1793     qemu_input_event_sync();
1794 }
1795 
1796 static void press_key(VncState *vs, QKeyCode qcode)
1797 {
1798     qkbd_state_key_event(vs->vd->kbd, qcode, true);
1799     qkbd_state_key_event(vs->vd->kbd, qcode, false);
1800 }
1801 
1802 static void vnc_led_state_change(VncState *vs)
1803 {
1804     if (!vnc_has_feature(vs, VNC_FEATURE_LED_STATE)) {
1805         return;
1806     }
1807 
1808     vnc_lock_output(vs);
1809     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1810     vnc_write_u8(vs, 0);
1811     vnc_write_u16(vs, 1);
1812     vnc_framebuffer_update(vs, 0, 0, 1, 1, VNC_ENCODING_LED_STATE);
1813     vnc_write_u8(vs, vs->vd->ledstate);
1814     vnc_unlock_output(vs);
1815     vnc_flush(vs);
1816 }
1817 
1818 static void kbd_leds(void *opaque, int ledstate)
1819 {
1820     VncDisplay *vd = opaque;
1821     VncState *client;
1822 
1823     trace_vnc_key_guest_leds((ledstate & QEMU_CAPS_LOCK_LED),
1824                              (ledstate & QEMU_NUM_LOCK_LED),
1825                              (ledstate & QEMU_SCROLL_LOCK_LED));
1826 
1827     if (ledstate == vd->ledstate) {
1828         return;
1829     }
1830 
1831     vd->ledstate = ledstate;
1832 
1833     QTAILQ_FOREACH(client, &vd->clients, next) {
1834         vnc_led_state_change(client);
1835     }
1836 }
1837 
1838 static void do_key_event(VncState *vs, int down, int keycode, int sym)
1839 {
1840     QKeyCode qcode = qemu_input_key_number_to_qcode(keycode);
1841 
1842     /* QEMU console switch */
1843     switch (qcode) {
1844     case Q_KEY_CODE_1 ... Q_KEY_CODE_9: /* '1' to '9' keys */
1845         if (vs->vd->dcl.con == NULL && down &&
1846             qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_CTRL) &&
1847             qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_ALT)) {
1848             /* Reset the modifiers sent to the current console */
1849             qkbd_state_lift_all_keys(vs->vd->kbd);
1850             console_select(qcode - Q_KEY_CODE_1);
1851             return;
1852         }
1853     default:
1854         break;
1855     }
1856 
1857     /* Turn off the lock state sync logic if the client support the led
1858        state extension.
1859     */
1860     if (down && vs->vd->lock_key_sync &&
1861         !vnc_has_feature(vs, VNC_FEATURE_LED_STATE) &&
1862         keycode_is_keypad(vs->vd->kbd_layout, keycode)) {
1863         /* If the numlock state needs to change then simulate an additional
1864            keypress before sending this one.  This will happen if the user
1865            toggles numlock away from the VNC window.
1866         */
1867         if (keysym_is_numlock(vs->vd->kbd_layout, sym & 0xFFFF)) {
1868             if (!qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_NUMLOCK)) {
1869                 trace_vnc_key_sync_numlock(true);
1870                 press_key(vs, Q_KEY_CODE_NUM_LOCK);
1871             }
1872         } else {
1873             if (qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_NUMLOCK)) {
1874                 trace_vnc_key_sync_numlock(false);
1875                 press_key(vs, Q_KEY_CODE_NUM_LOCK);
1876             }
1877         }
1878     }
1879 
1880     if (down && vs->vd->lock_key_sync &&
1881         !vnc_has_feature(vs, VNC_FEATURE_LED_STATE) &&
1882         ((sym >= 'A' && sym <= 'Z') || (sym >= 'a' && sym <= 'z'))) {
1883         /* If the capslock state needs to change then simulate an additional
1884            keypress before sending this one.  This will happen if the user
1885            toggles capslock away from the VNC window.
1886         */
1887         int uppercase = !!(sym >= 'A' && sym <= 'Z');
1888         bool shift = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_SHIFT);
1889         bool capslock = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_CAPSLOCK);
1890         if (capslock) {
1891             if (uppercase == shift) {
1892                 trace_vnc_key_sync_capslock(false);
1893                 press_key(vs, Q_KEY_CODE_CAPS_LOCK);
1894             }
1895         } else {
1896             if (uppercase != shift) {
1897                 trace_vnc_key_sync_capslock(true);
1898                 press_key(vs, Q_KEY_CODE_CAPS_LOCK);
1899             }
1900         }
1901     }
1902 
1903     qkbd_state_key_event(vs->vd->kbd, qcode, down);
1904     if (!qemu_console_is_graphic(NULL)) {
1905         bool numlock = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_NUMLOCK);
1906         bool control = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_CTRL);
1907         /* QEMU console emulation */
1908         if (down) {
1909             switch (keycode) {
1910             case 0x2a:                          /* Left Shift */
1911             case 0x36:                          /* Right Shift */
1912             case 0x1d:                          /* Left CTRL */
1913             case 0x9d:                          /* Right CTRL */
1914             case 0x38:                          /* Left ALT */
1915             case 0xb8:                          /* Right ALT */
1916                 break;
1917             case 0xc8:
1918                 kbd_put_keysym(QEMU_KEY_UP);
1919                 break;
1920             case 0xd0:
1921                 kbd_put_keysym(QEMU_KEY_DOWN);
1922                 break;
1923             case 0xcb:
1924                 kbd_put_keysym(QEMU_KEY_LEFT);
1925                 break;
1926             case 0xcd:
1927                 kbd_put_keysym(QEMU_KEY_RIGHT);
1928                 break;
1929             case 0xd3:
1930                 kbd_put_keysym(QEMU_KEY_DELETE);
1931                 break;
1932             case 0xc7:
1933                 kbd_put_keysym(QEMU_KEY_HOME);
1934                 break;
1935             case 0xcf:
1936                 kbd_put_keysym(QEMU_KEY_END);
1937                 break;
1938             case 0xc9:
1939                 kbd_put_keysym(QEMU_KEY_PAGEUP);
1940                 break;
1941             case 0xd1:
1942                 kbd_put_keysym(QEMU_KEY_PAGEDOWN);
1943                 break;
1944 
1945             case 0x47:
1946                 kbd_put_keysym(numlock ? '7' : QEMU_KEY_HOME);
1947                 break;
1948             case 0x48:
1949                 kbd_put_keysym(numlock ? '8' : QEMU_KEY_UP);
1950                 break;
1951             case 0x49:
1952                 kbd_put_keysym(numlock ? '9' : QEMU_KEY_PAGEUP);
1953                 break;
1954             case 0x4b:
1955                 kbd_put_keysym(numlock ? '4' : QEMU_KEY_LEFT);
1956                 break;
1957             case 0x4c:
1958                 kbd_put_keysym('5');
1959                 break;
1960             case 0x4d:
1961                 kbd_put_keysym(numlock ? '6' : QEMU_KEY_RIGHT);
1962                 break;
1963             case 0x4f:
1964                 kbd_put_keysym(numlock ? '1' : QEMU_KEY_END);
1965                 break;
1966             case 0x50:
1967                 kbd_put_keysym(numlock ? '2' : QEMU_KEY_DOWN);
1968                 break;
1969             case 0x51:
1970                 kbd_put_keysym(numlock ? '3' : QEMU_KEY_PAGEDOWN);
1971                 break;
1972             case 0x52:
1973                 kbd_put_keysym('0');
1974                 break;
1975             case 0x53:
1976                 kbd_put_keysym(numlock ? '.' : QEMU_KEY_DELETE);
1977                 break;
1978 
1979             case 0xb5:
1980                 kbd_put_keysym('/');
1981                 break;
1982             case 0x37:
1983                 kbd_put_keysym('*');
1984                 break;
1985             case 0x4a:
1986                 kbd_put_keysym('-');
1987                 break;
1988             case 0x4e:
1989                 kbd_put_keysym('+');
1990                 break;
1991             case 0x9c:
1992                 kbd_put_keysym('\n');
1993                 break;
1994 
1995             default:
1996                 if (control) {
1997                     kbd_put_keysym(sym & 0x1f);
1998                 } else {
1999                     kbd_put_keysym(sym);
2000                 }
2001                 break;
2002             }
2003         }
2004     }
2005 }
2006 
2007 static const char *code2name(int keycode)
2008 {
2009     return QKeyCode_str(qemu_input_key_number_to_qcode(keycode));
2010 }
2011 
2012 static void key_event(VncState *vs, int down, uint32_t sym)
2013 {
2014     int keycode;
2015     int lsym = sym;
2016 
2017     if (lsym >= 'A' && lsym <= 'Z' && qemu_console_is_graphic(NULL)) {
2018         lsym = lsym - 'A' + 'a';
2019     }
2020 
2021     keycode = keysym2scancode(vs->vd->kbd_layout, lsym & 0xFFFF,
2022                               vs->vd->kbd, down) & SCANCODE_KEYMASK;
2023     trace_vnc_key_event_map(down, sym, keycode, code2name(keycode));
2024     do_key_event(vs, down, keycode, sym);
2025 }
2026 
2027 static void ext_key_event(VncState *vs, int down,
2028                           uint32_t sym, uint16_t keycode)
2029 {
2030     /* if the user specifies a keyboard layout, always use it */
2031     if (keyboard_layout) {
2032         key_event(vs, down, sym);
2033     } else {
2034         trace_vnc_key_event_ext(down, sym, keycode, code2name(keycode));
2035         do_key_event(vs, down, keycode, sym);
2036     }
2037 }
2038 
2039 static void framebuffer_update_request(VncState *vs, int incremental,
2040                                        int x, int y, int w, int h)
2041 {
2042     if (incremental) {
2043         if (vs->update != VNC_STATE_UPDATE_FORCE) {
2044             vs->update = VNC_STATE_UPDATE_INCREMENTAL;
2045         }
2046     } else {
2047         vs->update = VNC_STATE_UPDATE_FORCE;
2048         vnc_set_area_dirty(vs->dirty, vs->vd, x, y, w, h);
2049         if (vnc_has_feature(vs, VNC_FEATURE_RESIZE_EXT)) {
2050             vnc_desktop_resize_ext(vs, 0);
2051         }
2052     }
2053 }
2054 
2055 static void send_ext_key_event_ack(VncState *vs)
2056 {
2057     vnc_lock_output(vs);
2058     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
2059     vnc_write_u8(vs, 0);
2060     vnc_write_u16(vs, 1);
2061     vnc_framebuffer_update(vs, 0, 0,
2062                            pixman_image_get_width(vs->vd->server),
2063                            pixman_image_get_height(vs->vd->server),
2064                            VNC_ENCODING_EXT_KEY_EVENT);
2065     vnc_unlock_output(vs);
2066     vnc_flush(vs);
2067 }
2068 
2069 static void send_ext_audio_ack(VncState *vs)
2070 {
2071     vnc_lock_output(vs);
2072     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
2073     vnc_write_u8(vs, 0);
2074     vnc_write_u16(vs, 1);
2075     vnc_framebuffer_update(vs, 0, 0,
2076                            pixman_image_get_width(vs->vd->server),
2077                            pixman_image_get_height(vs->vd->server),
2078                            VNC_ENCODING_AUDIO);
2079     vnc_unlock_output(vs);
2080     vnc_flush(vs);
2081 }
2082 
2083 static void send_xvp_message(VncState *vs, int code)
2084 {
2085     vnc_lock_output(vs);
2086     vnc_write_u8(vs, VNC_MSG_SERVER_XVP);
2087     vnc_write_u8(vs, 0); /* pad */
2088     vnc_write_u8(vs, 1); /* version */
2089     vnc_write_u8(vs, code);
2090     vnc_unlock_output(vs);
2091     vnc_flush(vs);
2092 }
2093 
2094 static void set_encodings(VncState *vs, int32_t *encodings, size_t n_encodings)
2095 {
2096     int i;
2097     unsigned int enc = 0;
2098 
2099     vs->features = 0;
2100     vs->vnc_encoding = 0;
2101     vs->tight->compression = 9;
2102     vs->tight->quality = -1; /* Lossless by default */
2103     vs->absolute = -1;
2104 
2105     /*
2106      * Start from the end because the encodings are sent in order of preference.
2107      * This way the preferred encoding (first encoding defined in the array)
2108      * will be set at the end of the loop.
2109      */
2110     for (i = n_encodings - 1; i >= 0; i--) {
2111         enc = encodings[i];
2112         switch (enc) {
2113         case VNC_ENCODING_RAW:
2114             vs->vnc_encoding = enc;
2115             break;
2116         case VNC_ENCODING_HEXTILE:
2117             vs->features |= VNC_FEATURE_HEXTILE_MASK;
2118             vs->vnc_encoding = enc;
2119             break;
2120         case VNC_ENCODING_TIGHT:
2121             vs->features |= VNC_FEATURE_TIGHT_MASK;
2122             vs->vnc_encoding = enc;
2123             break;
2124 #ifdef CONFIG_VNC_PNG
2125         case VNC_ENCODING_TIGHT_PNG:
2126             vs->features |= VNC_FEATURE_TIGHT_PNG_MASK;
2127             vs->vnc_encoding = enc;
2128             break;
2129 #endif
2130         case VNC_ENCODING_ZLIB:
2131             /*
2132              * VNC_ENCODING_ZRLE compresses better than VNC_ENCODING_ZLIB.
2133              * So prioritize ZRLE, even if the client hints that it prefers
2134              * ZLIB.
2135              */
2136             if ((vs->features & VNC_FEATURE_ZRLE_MASK) == 0) {
2137                 vs->features |= VNC_FEATURE_ZLIB_MASK;
2138                 vs->vnc_encoding = enc;
2139             }
2140             break;
2141         case VNC_ENCODING_ZRLE:
2142             vs->features |= VNC_FEATURE_ZRLE_MASK;
2143             vs->vnc_encoding = enc;
2144             break;
2145         case VNC_ENCODING_ZYWRLE:
2146             vs->features |= VNC_FEATURE_ZYWRLE_MASK;
2147             vs->vnc_encoding = enc;
2148             break;
2149         case VNC_ENCODING_DESKTOPRESIZE:
2150             vs->features |= VNC_FEATURE_RESIZE_MASK;
2151             break;
2152         case VNC_ENCODING_DESKTOP_RESIZE_EXT:
2153             vs->features |= VNC_FEATURE_RESIZE_EXT_MASK;
2154             break;
2155         case VNC_ENCODING_POINTER_TYPE_CHANGE:
2156             vs->features |= VNC_FEATURE_POINTER_TYPE_CHANGE_MASK;
2157             break;
2158         case VNC_ENCODING_RICH_CURSOR:
2159             vs->features |= VNC_FEATURE_RICH_CURSOR_MASK;
2160             break;
2161         case VNC_ENCODING_ALPHA_CURSOR:
2162             vs->features |= VNC_FEATURE_ALPHA_CURSOR_MASK;
2163             break;
2164         case VNC_ENCODING_EXT_KEY_EVENT:
2165             send_ext_key_event_ack(vs);
2166             break;
2167         case VNC_ENCODING_AUDIO:
2168             send_ext_audio_ack(vs);
2169             break;
2170         case VNC_ENCODING_WMVi:
2171             vs->features |= VNC_FEATURE_WMVI_MASK;
2172             break;
2173         case VNC_ENCODING_LED_STATE:
2174             vs->features |= VNC_FEATURE_LED_STATE_MASK;
2175             break;
2176         case VNC_ENCODING_XVP:
2177             if (vs->vd->power_control) {
2178                 vs->features |= VNC_FEATURE_XVP;
2179                 send_xvp_message(vs, VNC_XVP_CODE_INIT);
2180             }
2181             break;
2182         case VNC_ENCODING_COMPRESSLEVEL0 ... VNC_ENCODING_COMPRESSLEVEL0 + 9:
2183             vs->tight->compression = (enc & 0x0F);
2184             break;
2185         case VNC_ENCODING_QUALITYLEVEL0 ... VNC_ENCODING_QUALITYLEVEL0 + 9:
2186             if (vs->vd->lossy) {
2187                 vs->tight->quality = (enc & 0x0F);
2188             }
2189             break;
2190         default:
2191             VNC_DEBUG("Unknown encoding: %d (0x%.8x): %d\n", i, enc, enc);
2192             break;
2193         }
2194     }
2195     vnc_desktop_resize(vs);
2196     check_pointer_type_change(&vs->mouse_mode_notifier, NULL);
2197     vnc_led_state_change(vs);
2198     vnc_cursor_define(vs);
2199 }
2200 
2201 static void set_pixel_conversion(VncState *vs)
2202 {
2203     pixman_format_code_t fmt = qemu_pixman_get_format(&vs->client_pf);
2204 
2205     if (fmt == VNC_SERVER_FB_FORMAT) {
2206         vs->write_pixels = vnc_write_pixels_copy;
2207         vnc_hextile_set_pixel_conversion(vs, 0);
2208     } else {
2209         vs->write_pixels = vnc_write_pixels_generic;
2210         vnc_hextile_set_pixel_conversion(vs, 1);
2211     }
2212 }
2213 
2214 static void send_color_map(VncState *vs)
2215 {
2216     int i;
2217 
2218     vnc_lock_output(vs);
2219     vnc_write_u8(vs, VNC_MSG_SERVER_SET_COLOUR_MAP_ENTRIES);
2220     vnc_write_u8(vs,  0);    /* padding     */
2221     vnc_write_u16(vs, 0);    /* first color */
2222     vnc_write_u16(vs, 256);  /* # of colors */
2223 
2224     for (i = 0; i < 256; i++) {
2225         PixelFormat *pf = &vs->client_pf;
2226 
2227         vnc_write_u16(vs, (((i >> pf->rshift) & pf->rmax) << (16 - pf->rbits)));
2228         vnc_write_u16(vs, (((i >> pf->gshift) & pf->gmax) << (16 - pf->gbits)));
2229         vnc_write_u16(vs, (((i >> pf->bshift) & pf->bmax) << (16 - pf->bbits)));
2230     }
2231     vnc_unlock_output(vs);
2232 }
2233 
2234 static void set_pixel_format(VncState *vs, int bits_per_pixel,
2235                              int big_endian_flag, int true_color_flag,
2236                              int red_max, int green_max, int blue_max,
2237                              int red_shift, int green_shift, int blue_shift)
2238 {
2239     if (!true_color_flag) {
2240         /* Expose a reasonable default 256 color map */
2241         bits_per_pixel = 8;
2242         red_max = 7;
2243         green_max = 7;
2244         blue_max = 3;
2245         red_shift = 0;
2246         green_shift = 3;
2247         blue_shift = 6;
2248     }
2249 
2250     switch (bits_per_pixel) {
2251     case 8:
2252     case 16:
2253     case 32:
2254         break;
2255     default:
2256         vnc_client_error(vs);
2257         return;
2258     }
2259 
2260     vs->client_pf.rmax = red_max ? red_max : 0xFF;
2261     vs->client_pf.rbits = ctpopl(red_max);
2262     vs->client_pf.rshift = red_shift;
2263     vs->client_pf.rmask = red_max << red_shift;
2264     vs->client_pf.gmax = green_max ? green_max : 0xFF;
2265     vs->client_pf.gbits = ctpopl(green_max);
2266     vs->client_pf.gshift = green_shift;
2267     vs->client_pf.gmask = green_max << green_shift;
2268     vs->client_pf.bmax = blue_max ? blue_max : 0xFF;
2269     vs->client_pf.bbits = ctpopl(blue_max);
2270     vs->client_pf.bshift = blue_shift;
2271     vs->client_pf.bmask = blue_max << blue_shift;
2272     vs->client_pf.bits_per_pixel = bits_per_pixel;
2273     vs->client_pf.bytes_per_pixel = bits_per_pixel / 8;
2274     vs->client_pf.depth = bits_per_pixel == 32 ? 24 : bits_per_pixel;
2275     vs->client_be = big_endian_flag;
2276 
2277     if (!true_color_flag) {
2278         send_color_map(vs);
2279     }
2280 
2281     set_pixel_conversion(vs);
2282 
2283     graphic_hw_invalidate(vs->vd->dcl.con);
2284     graphic_hw_update(vs->vd->dcl.con);
2285 }
2286 
2287 static void pixel_format_message (VncState *vs) {
2288     char pad[3] = { 0, 0, 0 };
2289 
2290     vs->client_pf = qemu_default_pixelformat(32);
2291 
2292     vnc_write_u8(vs, vs->client_pf.bits_per_pixel); /* bits-per-pixel */
2293     vnc_write_u8(vs, vs->client_pf.depth); /* depth */
2294 
2295 #ifdef HOST_WORDS_BIGENDIAN
2296     vnc_write_u8(vs, 1);             /* big-endian-flag */
2297 #else
2298     vnc_write_u8(vs, 0);             /* big-endian-flag */
2299 #endif
2300     vnc_write_u8(vs, 1);             /* true-color-flag */
2301     vnc_write_u16(vs, vs->client_pf.rmax);     /* red-max */
2302     vnc_write_u16(vs, vs->client_pf.gmax);     /* green-max */
2303     vnc_write_u16(vs, vs->client_pf.bmax);     /* blue-max */
2304     vnc_write_u8(vs, vs->client_pf.rshift);    /* red-shift */
2305     vnc_write_u8(vs, vs->client_pf.gshift);    /* green-shift */
2306     vnc_write_u8(vs, vs->client_pf.bshift);    /* blue-shift */
2307     vnc_write(vs, pad, 3);           /* padding */
2308 
2309     vnc_hextile_set_pixel_conversion(vs, 0);
2310     vs->write_pixels = vnc_write_pixels_copy;
2311 }
2312 
2313 static void vnc_colordepth(VncState *vs)
2314 {
2315     if (vnc_has_feature(vs, VNC_FEATURE_WMVI)) {
2316         /* Sending a WMVi message to notify the client*/
2317         vnc_lock_output(vs);
2318         vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
2319         vnc_write_u8(vs, 0);
2320         vnc_write_u16(vs, 1); /* number of rects */
2321         vnc_framebuffer_update(vs, 0, 0,
2322                                pixman_image_get_width(vs->vd->server),
2323                                pixman_image_get_height(vs->vd->server),
2324                                VNC_ENCODING_WMVi);
2325         pixel_format_message(vs);
2326         vnc_unlock_output(vs);
2327         vnc_flush(vs);
2328     } else {
2329         set_pixel_conversion(vs);
2330     }
2331 }
2332 
2333 static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len)
2334 {
2335     int i;
2336     uint16_t limit;
2337     uint32_t freq;
2338     VncDisplay *vd = vs->vd;
2339 
2340     if (data[0] > 3) {
2341         update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
2342     }
2343 
2344     switch (data[0]) {
2345     case VNC_MSG_CLIENT_SET_PIXEL_FORMAT:
2346         if (len == 1)
2347             return 20;
2348 
2349         set_pixel_format(vs, read_u8(data, 4),
2350                          read_u8(data, 6), read_u8(data, 7),
2351                          read_u16(data, 8), read_u16(data, 10),
2352                          read_u16(data, 12), read_u8(data, 14),
2353                          read_u8(data, 15), read_u8(data, 16));
2354         break;
2355     case VNC_MSG_CLIENT_SET_ENCODINGS:
2356         if (len == 1)
2357             return 4;
2358 
2359         if (len == 4) {
2360             limit = read_u16(data, 2);
2361             if (limit > 0)
2362                 return 4 + (limit * 4);
2363         } else
2364             limit = read_u16(data, 2);
2365 
2366         for (i = 0; i < limit; i++) {
2367             int32_t val = read_s32(data, 4 + (i * 4));
2368             memcpy(data + 4 + (i * 4), &val, sizeof(val));
2369         }
2370 
2371         set_encodings(vs, (int32_t *)(data + 4), limit);
2372         break;
2373     case VNC_MSG_CLIENT_FRAMEBUFFER_UPDATE_REQUEST:
2374         if (len == 1)
2375             return 10;
2376 
2377         framebuffer_update_request(vs,
2378                                    read_u8(data, 1), read_u16(data, 2), read_u16(data, 4),
2379                                    read_u16(data, 6), read_u16(data, 8));
2380         break;
2381     case VNC_MSG_CLIENT_KEY_EVENT:
2382         if (len == 1)
2383             return 8;
2384 
2385         key_event(vs, read_u8(data, 1), read_u32(data, 4));
2386         break;
2387     case VNC_MSG_CLIENT_POINTER_EVENT:
2388         if (len == 1)
2389             return 6;
2390 
2391         pointer_event(vs, read_u8(data, 1), read_u16(data, 2), read_u16(data, 4));
2392         break;
2393     case VNC_MSG_CLIENT_CUT_TEXT:
2394         if (len == 1) {
2395             return 8;
2396         }
2397         if (len == 8) {
2398             uint32_t dlen = read_u32(data, 4);
2399             if (dlen > (1 << 20)) {
2400                 error_report("vnc: client_cut_text msg payload has %u bytes"
2401                              " which exceeds our limit of 1MB.", dlen);
2402                 vnc_client_error(vs);
2403                 break;
2404             }
2405             if (dlen > 0) {
2406                 return 8 + dlen;
2407             }
2408         }
2409 
2410         client_cut_text(vs, read_u32(data, 4), data + 8);
2411         break;
2412     case VNC_MSG_CLIENT_XVP:
2413         if (!(vs->features & VNC_FEATURE_XVP)) {
2414             error_report("vnc: xvp client message while disabled");
2415             vnc_client_error(vs);
2416             break;
2417         }
2418         if (len == 1) {
2419             return 4;
2420         }
2421         if (len == 4) {
2422             uint8_t version = read_u8(data, 2);
2423             uint8_t action = read_u8(data, 3);
2424 
2425             if (version != 1) {
2426                 error_report("vnc: xvp client message version %d != 1",
2427                              version);
2428                 vnc_client_error(vs);
2429                 break;
2430             }
2431 
2432             switch (action) {
2433             case VNC_XVP_ACTION_SHUTDOWN:
2434                 qemu_system_powerdown_request();
2435                 break;
2436             case VNC_XVP_ACTION_REBOOT:
2437                 send_xvp_message(vs, VNC_XVP_CODE_FAIL);
2438                 break;
2439             case VNC_XVP_ACTION_RESET:
2440                 qemu_system_reset_request(SHUTDOWN_CAUSE_HOST_QMP_SYSTEM_RESET);
2441                 break;
2442             default:
2443                 send_xvp_message(vs, VNC_XVP_CODE_FAIL);
2444                 break;
2445             }
2446         }
2447         break;
2448     case VNC_MSG_CLIENT_QEMU:
2449         if (len == 1)
2450             return 2;
2451 
2452         switch (read_u8(data, 1)) {
2453         case VNC_MSG_CLIENT_QEMU_EXT_KEY_EVENT:
2454             if (len == 2)
2455                 return 12;
2456 
2457             ext_key_event(vs, read_u16(data, 2),
2458                           read_u32(data, 4), read_u32(data, 8));
2459             break;
2460         case VNC_MSG_CLIENT_QEMU_AUDIO:
2461             if (len == 2)
2462                 return 4;
2463 
2464             switch (read_u16 (data, 2)) {
2465             case VNC_MSG_CLIENT_QEMU_AUDIO_ENABLE:
2466                 audio_add(vs);
2467                 break;
2468             case VNC_MSG_CLIENT_QEMU_AUDIO_DISABLE:
2469                 audio_del(vs);
2470                 break;
2471             case VNC_MSG_CLIENT_QEMU_AUDIO_SET_FORMAT:
2472                 if (len == 4)
2473                     return 10;
2474                 switch (read_u8(data, 4)) {
2475                 case 0: vs->as.fmt = AUDIO_FORMAT_U8; break;
2476                 case 1: vs->as.fmt = AUDIO_FORMAT_S8; break;
2477                 case 2: vs->as.fmt = AUDIO_FORMAT_U16; break;
2478                 case 3: vs->as.fmt = AUDIO_FORMAT_S16; break;
2479                 case 4: vs->as.fmt = AUDIO_FORMAT_U32; break;
2480                 case 5: vs->as.fmt = AUDIO_FORMAT_S32; break;
2481                 default:
2482                     VNC_DEBUG("Invalid audio format %d\n", read_u8(data, 4));
2483                     vnc_client_error(vs);
2484                     break;
2485                 }
2486                 vs->as.nchannels = read_u8(data, 5);
2487                 if (vs->as.nchannels != 1 && vs->as.nchannels != 2) {
2488                     VNC_DEBUG("Invalid audio channel count %d\n",
2489                               read_u8(data, 5));
2490                     vnc_client_error(vs);
2491                     break;
2492                 }
2493                 freq = read_u32(data, 6);
2494                 /* No official limit for protocol, but 48khz is a sensible
2495                  * upper bound for trustworthy clients, and this limit
2496                  * protects calculations involving 'vs->as.freq' later.
2497                  */
2498                 if (freq > 48000) {
2499                     VNC_DEBUG("Invalid audio frequency %u > 48000", freq);
2500                     vnc_client_error(vs);
2501                     break;
2502                 }
2503                 vs->as.freq = freq;
2504                 break;
2505             default:
2506                 VNC_DEBUG("Invalid audio message %d\n", read_u8(data, 4));
2507                 vnc_client_error(vs);
2508                 break;
2509             }
2510             break;
2511 
2512         default:
2513             VNC_DEBUG("Msg: %d\n", read_u16(data, 0));
2514             vnc_client_error(vs);
2515             break;
2516         }
2517         break;
2518     case VNC_MSG_CLIENT_SET_DESKTOP_SIZE:
2519     {
2520         size_t size;
2521         uint8_t screens;
2522 
2523         if (len < 8) {
2524             return 8;
2525         }
2526 
2527         screens = read_u8(data, 6);
2528         size    = 8 + screens * 16;
2529         if (len < size) {
2530             return size;
2531         }
2532 
2533         if (dpy_ui_info_supported(vs->vd->dcl.con)) {
2534             QemuUIInfo info;
2535             memset(&info, 0, sizeof(info));
2536             info.width = read_u16(data, 2);
2537             info.height = read_u16(data, 4);
2538             dpy_set_ui_info(vs->vd->dcl.con, &info);
2539             vnc_desktop_resize_ext(vs, 4 /* Request forwarded */);
2540         } else {
2541             vnc_desktop_resize_ext(vs, 3 /* Invalid screen layout */);
2542         }
2543 
2544         break;
2545     }
2546     default:
2547         VNC_DEBUG("Msg: %d\n", data[0]);
2548         vnc_client_error(vs);
2549         break;
2550     }
2551 
2552     vnc_update_throttle_offset(vs);
2553     vnc_read_when(vs, protocol_client_msg, 1);
2554     return 0;
2555 }
2556 
2557 static int protocol_client_init(VncState *vs, uint8_t *data, size_t len)
2558 {
2559     char buf[1024];
2560     VncShareMode mode;
2561     int size;
2562 
2563     mode = data[0] ? VNC_SHARE_MODE_SHARED : VNC_SHARE_MODE_EXCLUSIVE;
2564     switch (vs->vd->share_policy) {
2565     case VNC_SHARE_POLICY_IGNORE:
2566         /*
2567          * Ignore the shared flag.  Nothing to do here.
2568          *
2569          * Doesn't conform to the rfb spec but is traditional qemu
2570          * behavior, thus left here as option for compatibility
2571          * reasons.
2572          */
2573         break;
2574     case VNC_SHARE_POLICY_ALLOW_EXCLUSIVE:
2575         /*
2576          * Policy: Allow clients ask for exclusive access.
2577          *
2578          * Implementation: When a client asks for exclusive access,
2579          * disconnect all others. Shared connects are allowed as long
2580          * as no exclusive connection exists.
2581          *
2582          * This is how the rfb spec suggests to handle the shared flag.
2583          */
2584         if (mode == VNC_SHARE_MODE_EXCLUSIVE) {
2585             VncState *client;
2586             QTAILQ_FOREACH(client, &vs->vd->clients, next) {
2587                 if (vs == client) {
2588                     continue;
2589                 }
2590                 if (client->share_mode != VNC_SHARE_MODE_EXCLUSIVE &&
2591                     client->share_mode != VNC_SHARE_MODE_SHARED) {
2592                     continue;
2593                 }
2594                 vnc_disconnect_start(client);
2595             }
2596         }
2597         if (mode == VNC_SHARE_MODE_SHARED) {
2598             if (vs->vd->num_exclusive > 0) {
2599                 vnc_disconnect_start(vs);
2600                 return 0;
2601             }
2602         }
2603         break;
2604     case VNC_SHARE_POLICY_FORCE_SHARED:
2605         /*
2606          * Policy: Shared connects only.
2607          * Implementation: Disallow clients asking for exclusive access.
2608          *
2609          * Useful for shared desktop sessions where you don't want
2610          * someone forgetting to say -shared when running the vnc
2611          * client disconnect everybody else.
2612          */
2613         if (mode == VNC_SHARE_MODE_EXCLUSIVE) {
2614             vnc_disconnect_start(vs);
2615             return 0;
2616         }
2617         break;
2618     }
2619     vnc_set_share_mode(vs, mode);
2620 
2621     if (vs->vd->num_shared > vs->vd->connections_limit) {
2622         vnc_disconnect_start(vs);
2623         return 0;
2624     }
2625 
2626     assert(pixman_image_get_width(vs->vd->server) < 65536 &&
2627            pixman_image_get_width(vs->vd->server) >= 0);
2628     assert(pixman_image_get_height(vs->vd->server) < 65536 &&
2629            pixman_image_get_height(vs->vd->server) >= 0);
2630     vs->client_width = pixman_image_get_width(vs->vd->server);
2631     vs->client_height = pixman_image_get_height(vs->vd->server);
2632     vnc_write_u16(vs, vs->client_width);
2633     vnc_write_u16(vs, vs->client_height);
2634 
2635     pixel_format_message(vs);
2636 
2637     if (qemu_name) {
2638         size = snprintf(buf, sizeof(buf), "QEMU (%s)", qemu_name);
2639         if (size > sizeof(buf)) {
2640             size = sizeof(buf);
2641         }
2642     } else {
2643         size = snprintf(buf, sizeof(buf), "QEMU");
2644     }
2645 
2646     vnc_write_u32(vs, size);
2647     vnc_write(vs, buf, size);
2648     vnc_flush(vs);
2649 
2650     vnc_client_cache_auth(vs);
2651     vnc_qmp_event(vs, QAPI_EVENT_VNC_INITIALIZED);
2652 
2653     vnc_read_when(vs, protocol_client_msg, 1);
2654 
2655     return 0;
2656 }
2657 
2658 void start_client_init(VncState *vs)
2659 {
2660     vnc_read_when(vs, protocol_client_init, 1);
2661 }
2662 
2663 static void authentication_failed(VncState *vs)
2664 {
2665     vnc_write_u32(vs, 1); /* Reject auth */
2666     if (vs->minor >= 8) {
2667         static const char err[] = "Authentication failed";
2668         vnc_write_u32(vs, sizeof(err));
2669         vnc_write(vs, err, sizeof(err));
2670     }
2671     vnc_flush(vs);
2672     vnc_client_error(vs);
2673 }
2674 
2675 static int protocol_client_auth_vnc(VncState *vs, uint8_t *data, size_t len)
2676 {
2677     unsigned char response[VNC_AUTH_CHALLENGE_SIZE];
2678     size_t i, pwlen;
2679     unsigned char key[8];
2680     time_t now = time(NULL);
2681     QCryptoCipher *cipher = NULL;
2682     Error *err = NULL;
2683 
2684     if (!vs->vd->password) {
2685         trace_vnc_auth_fail(vs, vs->auth, "password is not set", "");
2686         goto reject;
2687     }
2688     if (vs->vd->expires < now) {
2689         trace_vnc_auth_fail(vs, vs->auth, "password is expired", "");
2690         goto reject;
2691     }
2692 
2693     memcpy(response, vs->challenge, VNC_AUTH_CHALLENGE_SIZE);
2694 
2695     /* Calculate the expected challenge response */
2696     pwlen = strlen(vs->vd->password);
2697     for (i=0; i<sizeof(key); i++)
2698         key[i] = i<pwlen ? vs->vd->password[i] : 0;
2699 
2700     cipher = qcrypto_cipher_new(
2701         QCRYPTO_CIPHER_ALG_DES_RFB,
2702         QCRYPTO_CIPHER_MODE_ECB,
2703         key, G_N_ELEMENTS(key),
2704         &err);
2705     if (!cipher) {
2706         trace_vnc_auth_fail(vs, vs->auth, "cannot create cipher",
2707                             error_get_pretty(err));
2708         error_free(err);
2709         goto reject;
2710     }
2711 
2712     if (qcrypto_cipher_encrypt(cipher,
2713                                vs->challenge,
2714                                response,
2715                                VNC_AUTH_CHALLENGE_SIZE,
2716                                &err) < 0) {
2717         trace_vnc_auth_fail(vs, vs->auth, "cannot encrypt challenge response",
2718                             error_get_pretty(err));
2719         error_free(err);
2720         goto reject;
2721     }
2722 
2723     /* Compare expected vs actual challenge response */
2724     if (memcmp(response, data, VNC_AUTH_CHALLENGE_SIZE) != 0) {
2725         trace_vnc_auth_fail(vs, vs->auth, "mis-matched challenge response", "");
2726         goto reject;
2727     } else {
2728         trace_vnc_auth_pass(vs, vs->auth);
2729         vnc_write_u32(vs, 0); /* Accept auth */
2730         vnc_flush(vs);
2731 
2732         start_client_init(vs);
2733     }
2734 
2735     qcrypto_cipher_free(cipher);
2736     return 0;
2737 
2738 reject:
2739     authentication_failed(vs);
2740     qcrypto_cipher_free(cipher);
2741     return 0;
2742 }
2743 
2744 void start_auth_vnc(VncState *vs)
2745 {
2746     Error *err = NULL;
2747 
2748     if (qcrypto_random_bytes(vs->challenge, sizeof(vs->challenge), &err)) {
2749         trace_vnc_auth_fail(vs, vs->auth, "cannot get random bytes",
2750                             error_get_pretty(err));
2751         error_free(err);
2752         authentication_failed(vs);
2753         return;
2754     }
2755 
2756     /* Send client a 'random' challenge */
2757     vnc_write(vs, vs->challenge, sizeof(vs->challenge));
2758     vnc_flush(vs);
2759 
2760     vnc_read_when(vs, protocol_client_auth_vnc, sizeof(vs->challenge));
2761 }
2762 
2763 
2764 static int protocol_client_auth(VncState *vs, uint8_t *data, size_t len)
2765 {
2766     /* We only advertise 1 auth scheme at a time, so client
2767      * must pick the one we sent. Verify this */
2768     if (data[0] != vs->auth) { /* Reject auth */
2769        trace_vnc_auth_reject(vs, vs->auth, (int)data[0]);
2770        authentication_failed(vs);
2771     } else { /* Accept requested auth */
2772        trace_vnc_auth_start(vs, vs->auth);
2773        switch (vs->auth) {
2774        case VNC_AUTH_NONE:
2775            if (vs->minor >= 8) {
2776                vnc_write_u32(vs, 0); /* Accept auth completion */
2777                vnc_flush(vs);
2778            }
2779            trace_vnc_auth_pass(vs, vs->auth);
2780            start_client_init(vs);
2781            break;
2782 
2783        case VNC_AUTH_VNC:
2784            start_auth_vnc(vs);
2785            break;
2786 
2787        case VNC_AUTH_VENCRYPT:
2788            start_auth_vencrypt(vs);
2789            break;
2790 
2791 #ifdef CONFIG_VNC_SASL
2792        case VNC_AUTH_SASL:
2793            start_auth_sasl(vs);
2794            break;
2795 #endif /* CONFIG_VNC_SASL */
2796 
2797        default: /* Should not be possible, but just in case */
2798            trace_vnc_auth_fail(vs, vs->auth, "Unhandled auth method", "");
2799            authentication_failed(vs);
2800        }
2801     }
2802     return 0;
2803 }
2804 
2805 static int protocol_version(VncState *vs, uint8_t *version, size_t len)
2806 {
2807     char local[13];
2808 
2809     memcpy(local, version, 12);
2810     local[12] = 0;
2811 
2812     if (sscanf(local, "RFB %03d.%03d\n", &vs->major, &vs->minor) != 2) {
2813         VNC_DEBUG("Malformed protocol version %s\n", local);
2814         vnc_client_error(vs);
2815         return 0;
2816     }
2817     VNC_DEBUG("Client request protocol version %d.%d\n", vs->major, vs->minor);
2818     if (vs->major != 3 ||
2819         (vs->minor != 3 &&
2820          vs->minor != 4 &&
2821          vs->minor != 5 &&
2822          vs->minor != 7 &&
2823          vs->minor != 8)) {
2824         VNC_DEBUG("Unsupported client version\n");
2825         vnc_write_u32(vs, VNC_AUTH_INVALID);
2826         vnc_flush(vs);
2827         vnc_client_error(vs);
2828         return 0;
2829     }
2830     /* Some broken clients report v3.4 or v3.5, which spec requires to be treated
2831      * as equivalent to v3.3 by servers
2832      */
2833     if (vs->minor == 4 || vs->minor == 5)
2834         vs->minor = 3;
2835 
2836     if (vs->minor == 3) {
2837         trace_vnc_auth_start(vs, vs->auth);
2838         if (vs->auth == VNC_AUTH_NONE) {
2839             vnc_write_u32(vs, vs->auth);
2840             vnc_flush(vs);
2841             trace_vnc_auth_pass(vs, vs->auth);
2842             start_client_init(vs);
2843        } else if (vs->auth == VNC_AUTH_VNC) {
2844             VNC_DEBUG("Tell client VNC auth\n");
2845             vnc_write_u32(vs, vs->auth);
2846             vnc_flush(vs);
2847             start_auth_vnc(vs);
2848        } else {
2849             trace_vnc_auth_fail(vs, vs->auth,
2850                                 "Unsupported auth method for v3.3", "");
2851             vnc_write_u32(vs, VNC_AUTH_INVALID);
2852             vnc_flush(vs);
2853             vnc_client_error(vs);
2854        }
2855     } else {
2856         vnc_write_u8(vs, 1); /* num auth */
2857         vnc_write_u8(vs, vs->auth);
2858         vnc_read_when(vs, protocol_client_auth, 1);
2859         vnc_flush(vs);
2860     }
2861 
2862     return 0;
2863 }
2864 
2865 static VncRectStat *vnc_stat_rect(VncDisplay *vd, int x, int y)
2866 {
2867     struct VncSurface *vs = &vd->guest;
2868 
2869     return &vs->stats[y / VNC_STAT_RECT][x / VNC_STAT_RECT];
2870 }
2871 
2872 void vnc_sent_lossy_rect(VncState *vs, int x, int y, int w, int h)
2873 {
2874     int i, j;
2875 
2876     w = (x + w) / VNC_STAT_RECT;
2877     h = (y + h) / VNC_STAT_RECT;
2878     x /= VNC_STAT_RECT;
2879     y /= VNC_STAT_RECT;
2880 
2881     for (j = y; j <= h; j++) {
2882         for (i = x; i <= w; i++) {
2883             vs->lossy_rect[j][i] = 1;
2884         }
2885     }
2886 }
2887 
2888 static int vnc_refresh_lossy_rect(VncDisplay *vd, int x, int y)
2889 {
2890     VncState *vs;
2891     int sty = y / VNC_STAT_RECT;
2892     int stx = x / VNC_STAT_RECT;
2893     int has_dirty = 0;
2894 
2895     y = QEMU_ALIGN_DOWN(y, VNC_STAT_RECT);
2896     x = QEMU_ALIGN_DOWN(x, VNC_STAT_RECT);
2897 
2898     QTAILQ_FOREACH(vs, &vd->clients, next) {
2899         int j;
2900 
2901         /* kernel send buffers are full -> refresh later */
2902         if (vs->output.offset) {
2903             continue;
2904         }
2905 
2906         if (!vs->lossy_rect[sty][stx]) {
2907             continue;
2908         }
2909 
2910         vs->lossy_rect[sty][stx] = 0;
2911         for (j = 0; j < VNC_STAT_RECT; ++j) {
2912             bitmap_set(vs->dirty[y + j],
2913                        x / VNC_DIRTY_PIXELS_PER_BIT,
2914                        VNC_STAT_RECT / VNC_DIRTY_PIXELS_PER_BIT);
2915         }
2916         has_dirty++;
2917     }
2918 
2919     return has_dirty;
2920 }
2921 
2922 static int vnc_update_stats(VncDisplay *vd,  struct timeval * tv)
2923 {
2924     int width = MIN(pixman_image_get_width(vd->guest.fb),
2925                     pixman_image_get_width(vd->server));
2926     int height = MIN(pixman_image_get_height(vd->guest.fb),
2927                      pixman_image_get_height(vd->server));
2928     int x, y;
2929     struct timeval res;
2930     int has_dirty = 0;
2931 
2932     for (y = 0; y < height; y += VNC_STAT_RECT) {
2933         for (x = 0; x < width; x += VNC_STAT_RECT) {
2934             VncRectStat *rect = vnc_stat_rect(vd, x, y);
2935 
2936             rect->updated = false;
2937         }
2938     }
2939 
2940     qemu_timersub(tv, &VNC_REFRESH_STATS, &res);
2941 
2942     if (timercmp(&vd->guest.last_freq_check, &res, >)) {
2943         return has_dirty;
2944     }
2945     vd->guest.last_freq_check = *tv;
2946 
2947     for (y = 0; y < height; y += VNC_STAT_RECT) {
2948         for (x = 0; x < width; x += VNC_STAT_RECT) {
2949             VncRectStat *rect= vnc_stat_rect(vd, x, y);
2950             int count = ARRAY_SIZE(rect->times);
2951             struct timeval min, max;
2952 
2953             if (!timerisset(&rect->times[count - 1])) {
2954                 continue ;
2955             }
2956 
2957             max = rect->times[(rect->idx + count - 1) % count];
2958             qemu_timersub(tv, &max, &res);
2959 
2960             if (timercmp(&res, &VNC_REFRESH_LOSSY, >)) {
2961                 rect->freq = 0;
2962                 has_dirty += vnc_refresh_lossy_rect(vd, x, y);
2963                 memset(rect->times, 0, sizeof (rect->times));
2964                 continue ;
2965             }
2966 
2967             min = rect->times[rect->idx];
2968             max = rect->times[(rect->idx + count - 1) % count];
2969             qemu_timersub(&max, &min, &res);
2970 
2971             rect->freq = res.tv_sec + res.tv_usec / 1000000.;
2972             rect->freq /= count;
2973             rect->freq = 1. / rect->freq;
2974         }
2975     }
2976     return has_dirty;
2977 }
2978 
2979 double vnc_update_freq(VncState *vs, int x, int y, int w, int h)
2980 {
2981     int i, j;
2982     double total = 0;
2983     int num = 0;
2984 
2985     x =  QEMU_ALIGN_DOWN(x, VNC_STAT_RECT);
2986     y =  QEMU_ALIGN_DOWN(y, VNC_STAT_RECT);
2987 
2988     for (j = y; j <= y + h; j += VNC_STAT_RECT) {
2989         for (i = x; i <= x + w; i += VNC_STAT_RECT) {
2990             total += vnc_stat_rect(vs->vd, i, j)->freq;
2991             num++;
2992         }
2993     }
2994 
2995     if (num) {
2996         return total / num;
2997     } else {
2998         return 0;
2999     }
3000 }
3001 
3002 static void vnc_rect_updated(VncDisplay *vd, int x, int y, struct timeval * tv)
3003 {
3004     VncRectStat *rect;
3005 
3006     rect = vnc_stat_rect(vd, x, y);
3007     if (rect->updated) {
3008         return ;
3009     }
3010     rect->times[rect->idx] = *tv;
3011     rect->idx = (rect->idx + 1) % ARRAY_SIZE(rect->times);
3012     rect->updated = true;
3013 }
3014 
3015 static int vnc_refresh_server_surface(VncDisplay *vd)
3016 {
3017     int width = MIN(pixman_image_get_width(vd->guest.fb),
3018                     pixman_image_get_width(vd->server));
3019     int height = MIN(pixman_image_get_height(vd->guest.fb),
3020                      pixman_image_get_height(vd->server));
3021     int cmp_bytes, server_stride, line_bytes, guest_ll, guest_stride, y = 0;
3022     uint8_t *guest_row0 = NULL, *server_row0;
3023     VncState *vs;
3024     int has_dirty = 0;
3025     pixman_image_t *tmpbuf = NULL;
3026 
3027     struct timeval tv = { 0, 0 };
3028 
3029     if (!vd->non_adaptive) {
3030         gettimeofday(&tv, NULL);
3031         has_dirty = vnc_update_stats(vd, &tv);
3032     }
3033 
3034     /*
3035      * Walk through the guest dirty map.
3036      * Check and copy modified bits from guest to server surface.
3037      * Update server dirty map.
3038      */
3039     server_row0 = (uint8_t *)pixman_image_get_data(vd->server);
3040     server_stride = guest_stride = guest_ll =
3041         pixman_image_get_stride(vd->server);
3042     cmp_bytes = MIN(VNC_DIRTY_PIXELS_PER_BIT * VNC_SERVER_FB_BYTES,
3043                     server_stride);
3044     if (vd->guest.format != VNC_SERVER_FB_FORMAT) {
3045         int width = pixman_image_get_width(vd->server);
3046         tmpbuf = qemu_pixman_linebuf_create(VNC_SERVER_FB_FORMAT, width);
3047     } else {
3048         int guest_bpp =
3049             PIXMAN_FORMAT_BPP(pixman_image_get_format(vd->guest.fb));
3050         guest_row0 = (uint8_t *)pixman_image_get_data(vd->guest.fb);
3051         guest_stride = pixman_image_get_stride(vd->guest.fb);
3052         guest_ll = pixman_image_get_width(vd->guest.fb)
3053                    * DIV_ROUND_UP(guest_bpp, 8);
3054     }
3055     line_bytes = MIN(server_stride, guest_ll);
3056 
3057     for (;;) {
3058         int x;
3059         uint8_t *guest_ptr, *server_ptr;
3060         unsigned long offset = find_next_bit((unsigned long *) &vd->guest.dirty,
3061                                              height * VNC_DIRTY_BPL(&vd->guest),
3062                                              y * VNC_DIRTY_BPL(&vd->guest));
3063         if (offset == height * VNC_DIRTY_BPL(&vd->guest)) {
3064             /* no more dirty bits */
3065             break;
3066         }
3067         y = offset / VNC_DIRTY_BPL(&vd->guest);
3068         x = offset % VNC_DIRTY_BPL(&vd->guest);
3069 
3070         server_ptr = server_row0 + y * server_stride + x * cmp_bytes;
3071 
3072         if (vd->guest.format != VNC_SERVER_FB_FORMAT) {
3073             qemu_pixman_linebuf_fill(tmpbuf, vd->guest.fb, width, 0, y);
3074             guest_ptr = (uint8_t *)pixman_image_get_data(tmpbuf);
3075         } else {
3076             guest_ptr = guest_row0 + y * guest_stride;
3077         }
3078         guest_ptr += x * cmp_bytes;
3079 
3080         for (; x < DIV_ROUND_UP(width, VNC_DIRTY_PIXELS_PER_BIT);
3081              x++, guest_ptr += cmp_bytes, server_ptr += cmp_bytes) {
3082             int _cmp_bytes = cmp_bytes;
3083             if (!test_and_clear_bit(x, vd->guest.dirty[y])) {
3084                 continue;
3085             }
3086             if ((x + 1) * cmp_bytes > line_bytes) {
3087                 _cmp_bytes = line_bytes - x * cmp_bytes;
3088             }
3089             assert(_cmp_bytes >= 0);
3090             if (memcmp(server_ptr, guest_ptr, _cmp_bytes) == 0) {
3091                 continue;
3092             }
3093             memcpy(server_ptr, guest_ptr, _cmp_bytes);
3094             if (!vd->non_adaptive) {
3095                 vnc_rect_updated(vd, x * VNC_DIRTY_PIXELS_PER_BIT,
3096                                  y, &tv);
3097             }
3098             QTAILQ_FOREACH(vs, &vd->clients, next) {
3099                 set_bit(x, vs->dirty[y]);
3100             }
3101             has_dirty++;
3102         }
3103 
3104         y++;
3105     }
3106     qemu_pixman_image_unref(tmpbuf);
3107     return has_dirty;
3108 }
3109 
3110 static void vnc_refresh(DisplayChangeListener *dcl)
3111 {
3112     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
3113     VncState *vs, *vn;
3114     int has_dirty, rects = 0;
3115 
3116     if (QTAILQ_EMPTY(&vd->clients)) {
3117         update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_MAX);
3118         return;
3119     }
3120 
3121     graphic_hw_update(vd->dcl.con);
3122 
3123     if (vnc_trylock_display(vd)) {
3124         update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
3125         return;
3126     }
3127 
3128     has_dirty = vnc_refresh_server_surface(vd);
3129     vnc_unlock_display(vd);
3130 
3131     QTAILQ_FOREACH_SAFE(vs, &vd->clients, next, vn) {
3132         rects += vnc_update_client(vs, has_dirty);
3133         /* vs might be free()ed here */
3134     }
3135 
3136     if (has_dirty && rects) {
3137         vd->dcl.update_interval /= 2;
3138         if (vd->dcl.update_interval < VNC_REFRESH_INTERVAL_BASE) {
3139             vd->dcl.update_interval = VNC_REFRESH_INTERVAL_BASE;
3140         }
3141     } else {
3142         vd->dcl.update_interval += VNC_REFRESH_INTERVAL_INC;
3143         if (vd->dcl.update_interval > VNC_REFRESH_INTERVAL_MAX) {
3144             vd->dcl.update_interval = VNC_REFRESH_INTERVAL_MAX;
3145         }
3146     }
3147 }
3148 
3149 static void vnc_connect(VncDisplay *vd, QIOChannelSocket *sioc,
3150                         bool skipauth, bool websocket)
3151 {
3152     VncState *vs = g_new0(VncState, 1);
3153     bool first_client = QTAILQ_EMPTY(&vd->clients);
3154     int i;
3155 
3156     trace_vnc_client_connect(vs, sioc);
3157     vs->zrle = g_new0(VncZrle, 1);
3158     vs->tight = g_new0(VncTight, 1);
3159     vs->magic = VNC_MAGIC;
3160     vs->sioc = sioc;
3161     object_ref(OBJECT(vs->sioc));
3162     vs->ioc = QIO_CHANNEL(sioc);
3163     object_ref(OBJECT(vs->ioc));
3164     vs->vd = vd;
3165 
3166     buffer_init(&vs->input,          "vnc-input/%p", sioc);
3167     buffer_init(&vs->output,         "vnc-output/%p", sioc);
3168     buffer_init(&vs->jobs_buffer,    "vnc-jobs_buffer/%p", sioc);
3169 
3170     buffer_init(&vs->tight->tight,    "vnc-tight/%p", sioc);
3171     buffer_init(&vs->tight->zlib,     "vnc-tight-zlib/%p", sioc);
3172     buffer_init(&vs->tight->gradient, "vnc-tight-gradient/%p", sioc);
3173 #ifdef CONFIG_VNC_JPEG
3174     buffer_init(&vs->tight->jpeg,     "vnc-tight-jpeg/%p", sioc);
3175 #endif
3176 #ifdef CONFIG_VNC_PNG
3177     buffer_init(&vs->tight->png,      "vnc-tight-png/%p", sioc);
3178 #endif
3179     buffer_init(&vs->zlib.zlib,      "vnc-zlib/%p", sioc);
3180     buffer_init(&vs->zrle->zrle,      "vnc-zrle/%p", sioc);
3181     buffer_init(&vs->zrle->fb,        "vnc-zrle-fb/%p", sioc);
3182     buffer_init(&vs->zrle->zlib,      "vnc-zrle-zlib/%p", sioc);
3183 
3184     if (skipauth) {
3185         vs->auth = VNC_AUTH_NONE;
3186         vs->subauth = VNC_AUTH_INVALID;
3187     } else {
3188         if (websocket) {
3189             vs->auth = vd->ws_auth;
3190             vs->subauth = VNC_AUTH_INVALID;
3191         } else {
3192             vs->auth = vd->auth;
3193             vs->subauth = vd->subauth;
3194         }
3195     }
3196     VNC_DEBUG("Client sioc=%p ws=%d auth=%d subauth=%d\n",
3197               sioc, websocket, vs->auth, vs->subauth);
3198 
3199     vs->lossy_rect = g_malloc0(VNC_STAT_ROWS * sizeof (*vs->lossy_rect));
3200     for (i = 0; i < VNC_STAT_ROWS; ++i) {
3201         vs->lossy_rect[i] = g_new0(uint8_t, VNC_STAT_COLS);
3202     }
3203 
3204     VNC_DEBUG("New client on socket %p\n", vs->sioc);
3205     update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
3206     qio_channel_set_blocking(vs->ioc, false, NULL);
3207     if (vs->ioc_tag) {
3208         g_source_remove(vs->ioc_tag);
3209     }
3210     if (websocket) {
3211         vs->websocket = 1;
3212         if (vd->tlscreds) {
3213             vs->ioc_tag = qio_channel_add_watch(
3214                 vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR,
3215                 vncws_tls_handshake_io, vs, NULL);
3216         } else {
3217             vs->ioc_tag = qio_channel_add_watch(
3218                 vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR,
3219                 vncws_handshake_io, vs, NULL);
3220         }
3221     } else {
3222         vs->ioc_tag = qio_channel_add_watch(
3223             vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR,
3224             vnc_client_io, vs, NULL);
3225     }
3226 
3227     vnc_client_cache_addr(vs);
3228     vnc_qmp_event(vs, QAPI_EVENT_VNC_CONNECTED);
3229     vnc_set_share_mode(vs, VNC_SHARE_MODE_CONNECTING);
3230 
3231     vs->last_x = -1;
3232     vs->last_y = -1;
3233 
3234     vs->as.freq = 44100;
3235     vs->as.nchannels = 2;
3236     vs->as.fmt = AUDIO_FORMAT_S16;
3237     vs->as.endianness = 0;
3238 
3239     qemu_mutex_init(&vs->output_mutex);
3240     vs->bh = qemu_bh_new(vnc_jobs_bh, vs);
3241 
3242     QTAILQ_INSERT_TAIL(&vd->clients, vs, next);
3243     if (first_client) {
3244         vnc_update_server_surface(vd);
3245     }
3246 
3247     graphic_hw_update(vd->dcl.con);
3248 
3249     if (!vs->websocket) {
3250         vnc_start_protocol(vs);
3251     }
3252 
3253     if (vd->num_connecting > vd->connections_limit) {
3254         QTAILQ_FOREACH(vs, &vd->clients, next) {
3255             if (vs->share_mode == VNC_SHARE_MODE_CONNECTING) {
3256                 vnc_disconnect_start(vs);
3257                 return;
3258             }
3259         }
3260     }
3261 }
3262 
3263 void vnc_start_protocol(VncState *vs)
3264 {
3265     vnc_write(vs, "RFB 003.008\n", 12);
3266     vnc_flush(vs);
3267     vnc_read_when(vs, protocol_version, 12);
3268 
3269     vs->mouse_mode_notifier.notify = check_pointer_type_change;
3270     qemu_add_mouse_mode_change_notifier(&vs->mouse_mode_notifier);
3271 }
3272 
3273 static void vnc_listen_io(QIONetListener *listener,
3274                           QIOChannelSocket *cioc,
3275                           void *opaque)
3276 {
3277     VncDisplay *vd = opaque;
3278     bool isWebsock = listener == vd->wslistener;
3279 
3280     qio_channel_set_name(QIO_CHANNEL(cioc),
3281                          isWebsock ? "vnc-ws-server" : "vnc-server");
3282     qio_channel_set_delay(QIO_CHANNEL(cioc), false);
3283     vnc_connect(vd, cioc, false, isWebsock);
3284 }
3285 
3286 static const DisplayChangeListenerOps dcl_ops = {
3287     .dpy_name             = "vnc",
3288     .dpy_refresh          = vnc_refresh,
3289     .dpy_gfx_update       = vnc_dpy_update,
3290     .dpy_gfx_switch       = vnc_dpy_switch,
3291     .dpy_gfx_check_format = qemu_pixman_check_format,
3292     .dpy_mouse_set        = vnc_mouse_set,
3293     .dpy_cursor_define    = vnc_dpy_cursor_define,
3294 };
3295 
3296 void vnc_display_init(const char *id, Error **errp)
3297 {
3298     VncDisplay *vd;
3299 
3300     if (vnc_display_find(id) != NULL) {
3301         return;
3302     }
3303     vd = g_malloc0(sizeof(*vd));
3304 
3305     vd->id = strdup(id);
3306     QTAILQ_INSERT_TAIL(&vnc_displays, vd, next);
3307 
3308     QTAILQ_INIT(&vd->clients);
3309     vd->expires = TIME_MAX;
3310 
3311     if (keyboard_layout) {
3312         trace_vnc_key_map_init(keyboard_layout);
3313         vd->kbd_layout = init_keyboard_layout(name2keysym,
3314                                               keyboard_layout, errp);
3315     } else {
3316         vd->kbd_layout = init_keyboard_layout(name2keysym, "en-us", errp);
3317     }
3318 
3319     if (!vd->kbd_layout) {
3320         return;
3321     }
3322 
3323     vd->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
3324     vd->connections_limit = 32;
3325 
3326     qemu_mutex_init(&vd->mutex);
3327     vnc_start_worker_thread();
3328 
3329     vd->dcl.ops = &dcl_ops;
3330     register_displaychangelistener(&vd->dcl);
3331     vd->kbd = qkbd_state_init(vd->dcl.con);
3332 }
3333 
3334 
3335 static void vnc_display_close(VncDisplay *vd)
3336 {
3337     if (!vd) {
3338         return;
3339     }
3340     vd->is_unix = false;
3341 
3342     if (vd->listener) {
3343         qio_net_listener_disconnect(vd->listener);
3344         object_unref(OBJECT(vd->listener));
3345     }
3346     vd->listener = NULL;
3347 
3348     if (vd->wslistener) {
3349         qio_net_listener_disconnect(vd->wslistener);
3350         object_unref(OBJECT(vd->wslistener));
3351     }
3352     vd->wslistener = NULL;
3353 
3354     vd->auth = VNC_AUTH_INVALID;
3355     vd->subauth = VNC_AUTH_INVALID;
3356     if (vd->tlscreds) {
3357         object_unref(OBJECT(vd->tlscreds));
3358         vd->tlscreds = NULL;
3359     }
3360     if (vd->tlsauthz) {
3361         object_unparent(OBJECT(vd->tlsauthz));
3362         vd->tlsauthz = NULL;
3363     }
3364     g_free(vd->tlsauthzid);
3365     vd->tlsauthzid = NULL;
3366     if (vd->lock_key_sync) {
3367         qemu_remove_led_event_handler(vd->led);
3368         vd->led = NULL;
3369     }
3370 #ifdef CONFIG_VNC_SASL
3371     if (vd->sasl.authz) {
3372         object_unparent(OBJECT(vd->sasl.authz));
3373         vd->sasl.authz = NULL;
3374     }
3375     g_free(vd->sasl.authzid);
3376     vd->sasl.authzid = NULL;
3377 #endif
3378 }
3379 
3380 int vnc_display_password(const char *id, const char *password)
3381 {
3382     VncDisplay *vd = vnc_display_find(id);
3383 
3384     if (!vd) {
3385         return -EINVAL;
3386     }
3387     if (vd->auth == VNC_AUTH_NONE) {
3388         error_printf_unless_qmp("If you want use passwords please enable "
3389                                 "password auth using '-vnc ${dpy},password'.\n");
3390         return -EINVAL;
3391     }
3392 
3393     g_free(vd->password);
3394     vd->password = g_strdup(password);
3395 
3396     return 0;
3397 }
3398 
3399 int vnc_display_pw_expire(const char *id, time_t expires)
3400 {
3401     VncDisplay *vd = vnc_display_find(id);
3402 
3403     if (!vd) {
3404         return -EINVAL;
3405     }
3406 
3407     vd->expires = expires;
3408     return 0;
3409 }
3410 
3411 static void vnc_display_print_local_addr(VncDisplay *vd)
3412 {
3413     SocketAddress *addr;
3414 
3415     if (!vd->listener || !vd->listener->nsioc) {
3416         return;
3417     }
3418 
3419     addr = qio_channel_socket_get_local_address(vd->listener->sioc[0], NULL);
3420     if (!addr) {
3421         return;
3422     }
3423 
3424     if (addr->type != SOCKET_ADDRESS_TYPE_INET) {
3425         qapi_free_SocketAddress(addr);
3426         return;
3427     }
3428     error_printf_unless_qmp("VNC server running on %s:%s\n",
3429                             addr->u.inet.host,
3430                             addr->u.inet.port);
3431     qapi_free_SocketAddress(addr);
3432 }
3433 
3434 static QemuOptsList qemu_vnc_opts = {
3435     .name = "vnc",
3436     .head = QTAILQ_HEAD_INITIALIZER(qemu_vnc_opts.head),
3437     .implied_opt_name = "vnc",
3438     .desc = {
3439         {
3440             .name = "vnc",
3441             .type = QEMU_OPT_STRING,
3442         },{
3443             .name = "websocket",
3444             .type = QEMU_OPT_STRING,
3445         },{
3446             .name = "tls-creds",
3447             .type = QEMU_OPT_STRING,
3448         },{
3449             .name = "share",
3450             .type = QEMU_OPT_STRING,
3451         },{
3452             .name = "display",
3453             .type = QEMU_OPT_STRING,
3454         },{
3455             .name = "head",
3456             .type = QEMU_OPT_NUMBER,
3457         },{
3458             .name = "connections",
3459             .type = QEMU_OPT_NUMBER,
3460         },{
3461             .name = "to",
3462             .type = QEMU_OPT_NUMBER,
3463         },{
3464             .name = "ipv4",
3465             .type = QEMU_OPT_BOOL,
3466         },{
3467             .name = "ipv6",
3468             .type = QEMU_OPT_BOOL,
3469         },{
3470             .name = "password",
3471             .type = QEMU_OPT_BOOL,
3472         },{
3473             .name = "reverse",
3474             .type = QEMU_OPT_BOOL,
3475         },{
3476             .name = "lock-key-sync",
3477             .type = QEMU_OPT_BOOL,
3478         },{
3479             .name = "key-delay-ms",
3480             .type = QEMU_OPT_NUMBER,
3481         },{
3482             .name = "sasl",
3483             .type = QEMU_OPT_BOOL,
3484         },{
3485             .name = "acl",
3486             .type = QEMU_OPT_BOOL,
3487         },{
3488             .name = "tls-authz",
3489             .type = QEMU_OPT_STRING,
3490         },{
3491             .name = "sasl-authz",
3492             .type = QEMU_OPT_STRING,
3493         },{
3494             .name = "lossy",
3495             .type = QEMU_OPT_BOOL,
3496         },{
3497             .name = "non-adaptive",
3498             .type = QEMU_OPT_BOOL,
3499         },{
3500             .name = "audiodev",
3501             .type = QEMU_OPT_STRING,
3502         },{
3503             .name = "power-control",
3504             .type = QEMU_OPT_BOOL,
3505         },
3506         { /* end of list */ }
3507     },
3508 };
3509 
3510 
3511 static int
3512 vnc_display_setup_auth(int *auth,
3513                        int *subauth,
3514                        QCryptoTLSCreds *tlscreds,
3515                        bool password,
3516                        bool sasl,
3517                        bool websocket,
3518                        Error **errp)
3519 {
3520     /*
3521      * We have a choice of 3 authentication options
3522      *
3523      *   1. none
3524      *   2. vnc
3525      *   3. sasl
3526      *
3527      * The channel can be run in 2 modes
3528      *
3529      *   1. clear
3530      *   2. tls
3531      *
3532      * And TLS can use 2 types of credentials
3533      *
3534      *   1. anon
3535      *   2. x509
3536      *
3537      * We thus have 9 possible logical combinations
3538      *
3539      *   1. clear + none
3540      *   2. clear + vnc
3541      *   3. clear + sasl
3542      *   4. tls + anon + none
3543      *   5. tls + anon + vnc
3544      *   6. tls + anon + sasl
3545      *   7. tls + x509 + none
3546      *   8. tls + x509 + vnc
3547      *   9. tls + x509 + sasl
3548      *
3549      * These need to be mapped into the VNC auth schemes
3550      * in an appropriate manner. In regular VNC, all the
3551      * TLS options get mapped into VNC_AUTH_VENCRYPT
3552      * sub-auth types.
3553      *
3554      * In websockets, the https:// protocol already provides
3555      * TLS support, so there is no need to make use of the
3556      * VeNCrypt extension. Furthermore, websockets browser
3557      * clients could not use VeNCrypt even if they wanted to,
3558      * as they cannot control when the TLS handshake takes
3559      * place. Thus there is no option but to rely on https://,
3560      * meaning combinations 4->6 and 7->9 will be mapped to
3561      * VNC auth schemes in the same way as combos 1->3.
3562      *
3563      * Regardless of fact that we have a different mapping to
3564      * VNC auth mechs for plain VNC vs websockets VNC, the end
3565      * result has the same security characteristics.
3566      */
3567     if (websocket || !tlscreds) {
3568         if (password) {
3569             VNC_DEBUG("Initializing VNC server with password auth\n");
3570             *auth = VNC_AUTH_VNC;
3571         } else if (sasl) {
3572             VNC_DEBUG("Initializing VNC server with SASL auth\n");
3573             *auth = VNC_AUTH_SASL;
3574         } else {
3575             VNC_DEBUG("Initializing VNC server with no auth\n");
3576             *auth = VNC_AUTH_NONE;
3577         }
3578         *subauth = VNC_AUTH_INVALID;
3579     } else {
3580         bool is_x509 = object_dynamic_cast(OBJECT(tlscreds),
3581                                            TYPE_QCRYPTO_TLS_CREDS_X509) != NULL;
3582         bool is_anon = object_dynamic_cast(OBJECT(tlscreds),
3583                                            TYPE_QCRYPTO_TLS_CREDS_ANON) != NULL;
3584 
3585         if (!is_x509 && !is_anon) {
3586             error_setg(errp,
3587                        "Unsupported TLS cred type %s",
3588                        object_get_typename(OBJECT(tlscreds)));
3589             return -1;
3590         }
3591         *auth = VNC_AUTH_VENCRYPT;
3592         if (password) {
3593             if (is_x509) {
3594                 VNC_DEBUG("Initializing VNC server with x509 password auth\n");
3595                 *subauth = VNC_AUTH_VENCRYPT_X509VNC;
3596             } else {
3597                 VNC_DEBUG("Initializing VNC server with TLS password auth\n");
3598                 *subauth = VNC_AUTH_VENCRYPT_TLSVNC;
3599             }
3600 
3601         } else if (sasl) {
3602             if (is_x509) {
3603                 VNC_DEBUG("Initializing VNC server with x509 SASL auth\n");
3604                 *subauth = VNC_AUTH_VENCRYPT_X509SASL;
3605             } else {
3606                 VNC_DEBUG("Initializing VNC server with TLS SASL auth\n");
3607                 *subauth = VNC_AUTH_VENCRYPT_TLSSASL;
3608             }
3609         } else {
3610             if (is_x509) {
3611                 VNC_DEBUG("Initializing VNC server with x509 no auth\n");
3612                 *subauth = VNC_AUTH_VENCRYPT_X509NONE;
3613             } else {
3614                 VNC_DEBUG("Initializing VNC server with TLS no auth\n");
3615                 *subauth = VNC_AUTH_VENCRYPT_TLSNONE;
3616             }
3617         }
3618     }
3619     return 0;
3620 }
3621 
3622 
3623 static int vnc_display_get_address(const char *addrstr,
3624                                    bool websocket,
3625                                    bool reverse,
3626                                    int displaynum,
3627                                    int to,
3628                                    bool has_ipv4,
3629                                    bool has_ipv6,
3630                                    bool ipv4,
3631                                    bool ipv6,
3632                                    SocketAddress **retaddr,
3633                                    Error **errp)
3634 {
3635     int ret = -1;
3636     SocketAddress *addr = NULL;
3637 
3638     addr = g_new0(SocketAddress, 1);
3639 
3640     if (strncmp(addrstr, "unix:", 5) == 0) {
3641         addr->type = SOCKET_ADDRESS_TYPE_UNIX;
3642         addr->u.q_unix.path = g_strdup(addrstr + 5);
3643 
3644         if (websocket) {
3645             error_setg(errp, "UNIX sockets not supported with websock");
3646             goto cleanup;
3647         }
3648 
3649         if (to) {
3650             error_setg(errp, "Port range not support with UNIX socket");
3651             goto cleanup;
3652         }
3653         ret = 0;
3654     } else {
3655         const char *port;
3656         size_t hostlen;
3657         unsigned long long baseport = 0;
3658         InetSocketAddress *inet;
3659 
3660         port = strrchr(addrstr, ':');
3661         if (!port) {
3662             if (websocket) {
3663                 hostlen = 0;
3664                 port = addrstr;
3665             } else {
3666                 error_setg(errp, "no vnc port specified");
3667                 goto cleanup;
3668             }
3669         } else {
3670             hostlen = port - addrstr;
3671             port++;
3672             if (*port == '\0') {
3673                 error_setg(errp, "vnc port cannot be empty");
3674                 goto cleanup;
3675             }
3676         }
3677 
3678         addr->type = SOCKET_ADDRESS_TYPE_INET;
3679         inet = &addr->u.inet;
3680         if (addrstr[0] == '[' && addrstr[hostlen - 1] == ']') {
3681             inet->host = g_strndup(addrstr + 1, hostlen - 2);
3682         } else {
3683             inet->host = g_strndup(addrstr, hostlen);
3684         }
3685         /* plain VNC port is just an offset, for websocket
3686          * port is absolute */
3687         if (websocket) {
3688             if (g_str_equal(addrstr, "") ||
3689                 g_str_equal(addrstr, "on")) {
3690                 if (displaynum == -1) {
3691                     error_setg(errp, "explicit websocket port is required");
3692                     goto cleanup;
3693                 }
3694                 inet->port = g_strdup_printf(
3695                     "%d", displaynum + 5700);
3696                 if (to) {
3697                     inet->has_to = true;
3698                     inet->to = to + 5700;
3699                 }
3700             } else {
3701                 inet->port = g_strdup(port);
3702             }
3703         } else {
3704             int offset = reverse ? 0 : 5900;
3705             if (parse_uint_full(port, &baseport, 10) < 0) {
3706                 error_setg(errp, "can't convert to a number: %s", port);
3707                 goto cleanup;
3708             }
3709             if (baseport > 65535 ||
3710                 baseport + offset > 65535) {
3711                 error_setg(errp, "port %s out of range", port);
3712                 goto cleanup;
3713             }
3714             inet->port = g_strdup_printf(
3715                 "%d", (int)baseport + offset);
3716 
3717             if (to) {
3718                 inet->has_to = true;
3719                 inet->to = to + offset;
3720             }
3721         }
3722 
3723         inet->ipv4 = ipv4;
3724         inet->has_ipv4 = has_ipv4;
3725         inet->ipv6 = ipv6;
3726         inet->has_ipv6 = has_ipv6;
3727 
3728         ret = baseport;
3729     }
3730 
3731     *retaddr = addr;
3732 
3733  cleanup:
3734     if (ret < 0) {
3735         qapi_free_SocketAddress(addr);
3736     }
3737     return ret;
3738 }
3739 
3740 static void vnc_free_addresses(SocketAddress ***retsaddr,
3741                                size_t *retnsaddr)
3742 {
3743     size_t i;
3744 
3745     for (i = 0; i < *retnsaddr; i++) {
3746         qapi_free_SocketAddress((*retsaddr)[i]);
3747     }
3748     g_free(*retsaddr);
3749 
3750     *retsaddr = NULL;
3751     *retnsaddr = 0;
3752 }
3753 
3754 static int vnc_display_get_addresses(QemuOpts *opts,
3755                                      bool reverse,
3756                                      SocketAddress ***retsaddr,
3757                                      size_t *retnsaddr,
3758                                      SocketAddress ***retwsaddr,
3759                                      size_t *retnwsaddr,
3760                                      Error **errp)
3761 {
3762     SocketAddress *saddr = NULL;
3763     SocketAddress *wsaddr = NULL;
3764     QemuOptsIter addriter;
3765     const char *addr;
3766     int to = qemu_opt_get_number(opts, "to", 0);
3767     bool has_ipv4 = qemu_opt_get(opts, "ipv4");
3768     bool has_ipv6 = qemu_opt_get(opts, "ipv6");
3769     bool ipv4 = qemu_opt_get_bool(opts, "ipv4", false);
3770     bool ipv6 = qemu_opt_get_bool(opts, "ipv6", false);
3771     int displaynum = -1;
3772     int ret = -1;
3773 
3774     *retsaddr = NULL;
3775     *retnsaddr = 0;
3776     *retwsaddr = NULL;
3777     *retnwsaddr = 0;
3778 
3779     addr = qemu_opt_get(opts, "vnc");
3780     if (addr == NULL || g_str_equal(addr, "none")) {
3781         ret = 0;
3782         goto cleanup;
3783     }
3784     if (qemu_opt_get(opts, "websocket") &&
3785         !qcrypto_hash_supports(QCRYPTO_HASH_ALG_SHA1)) {
3786         error_setg(errp,
3787                    "SHA1 hash support is required for websockets");
3788         goto cleanup;
3789     }
3790 
3791     qemu_opt_iter_init(&addriter, opts, "vnc");
3792     while ((addr = qemu_opt_iter_next(&addriter)) != NULL) {
3793         int rv;
3794         rv = vnc_display_get_address(addr, false, reverse, 0, to,
3795                                      has_ipv4, has_ipv6,
3796                                      ipv4, ipv6,
3797                                      &saddr, errp);
3798         if (rv < 0) {
3799             goto cleanup;
3800         }
3801         /* Historical compat - first listen address can be used
3802          * to set the default websocket port
3803          */
3804         if (displaynum == -1) {
3805             displaynum = rv;
3806         }
3807         *retsaddr = g_renew(SocketAddress *, *retsaddr, *retnsaddr + 1);
3808         (*retsaddr)[(*retnsaddr)++] = saddr;
3809     }
3810 
3811     /* If we had multiple primary displays, we don't do defaults
3812      * for websocket, and require explicit config instead. */
3813     if (*retnsaddr > 1) {
3814         displaynum = -1;
3815     }
3816 
3817     qemu_opt_iter_init(&addriter, opts, "websocket");
3818     while ((addr = qemu_opt_iter_next(&addriter)) != NULL) {
3819         if (vnc_display_get_address(addr, true, reverse, displaynum, to,
3820                                     has_ipv4, has_ipv6,
3821                                     ipv4, ipv6,
3822                                     &wsaddr, errp) < 0) {
3823             goto cleanup;
3824         }
3825 
3826         /* Historical compat - if only a single listen address was
3827          * provided, then this is used to set the default listen
3828          * address for websocket too
3829          */
3830         if (*retnsaddr == 1 &&
3831             (*retsaddr)[0]->type == SOCKET_ADDRESS_TYPE_INET &&
3832             wsaddr->type == SOCKET_ADDRESS_TYPE_INET &&
3833             g_str_equal(wsaddr->u.inet.host, "") &&
3834             !g_str_equal((*retsaddr)[0]->u.inet.host, "")) {
3835             g_free(wsaddr->u.inet.host);
3836             wsaddr->u.inet.host = g_strdup((*retsaddr)[0]->u.inet.host);
3837         }
3838 
3839         *retwsaddr = g_renew(SocketAddress *, *retwsaddr, *retnwsaddr + 1);
3840         (*retwsaddr)[(*retnwsaddr)++] = wsaddr;
3841     }
3842 
3843     ret = 0;
3844  cleanup:
3845     if (ret < 0) {
3846         vnc_free_addresses(retsaddr, retnsaddr);
3847         vnc_free_addresses(retwsaddr, retnwsaddr);
3848     }
3849     return ret;
3850 }
3851 
3852 static int vnc_display_connect(VncDisplay *vd,
3853                                SocketAddress **saddr,
3854                                size_t nsaddr,
3855                                SocketAddress **wsaddr,
3856                                size_t nwsaddr,
3857                                Error **errp)
3858 {
3859     /* connect to viewer */
3860     QIOChannelSocket *sioc = NULL;
3861     if (nwsaddr != 0) {
3862         error_setg(errp, "Cannot use websockets in reverse mode");
3863         return -1;
3864     }
3865     if (nsaddr != 1) {
3866         error_setg(errp, "Expected a single address in reverse mode");
3867         return -1;
3868     }
3869     /* TODO SOCKET_ADDRESS_TYPE_FD when fd has AF_UNIX */
3870     vd->is_unix = saddr[0]->type == SOCKET_ADDRESS_TYPE_UNIX;
3871     sioc = qio_channel_socket_new();
3872     qio_channel_set_name(QIO_CHANNEL(sioc), "vnc-reverse");
3873     if (qio_channel_socket_connect_sync(sioc, saddr[0], errp) < 0) {
3874         object_unref(OBJECT(sioc));
3875         return -1;
3876     }
3877     vnc_connect(vd, sioc, false, false);
3878     object_unref(OBJECT(sioc));
3879     return 0;
3880 }
3881 
3882 
3883 static int vnc_display_listen(VncDisplay *vd,
3884                               SocketAddress **saddr,
3885                               size_t nsaddr,
3886                               SocketAddress **wsaddr,
3887                               size_t nwsaddr,
3888                               Error **errp)
3889 {
3890     size_t i;
3891 
3892     if (nsaddr) {
3893         vd->listener = qio_net_listener_new();
3894         qio_net_listener_set_name(vd->listener, "vnc-listen");
3895         for (i = 0; i < nsaddr; i++) {
3896             if (qio_net_listener_open_sync(vd->listener,
3897                                            saddr[i], 1,
3898                                            errp) < 0)  {
3899                 return -1;
3900             }
3901         }
3902 
3903         qio_net_listener_set_client_func(vd->listener,
3904                                          vnc_listen_io, vd, NULL);
3905     }
3906 
3907     if (nwsaddr) {
3908         vd->wslistener = qio_net_listener_new();
3909         qio_net_listener_set_name(vd->wslistener, "vnc-ws-listen");
3910         for (i = 0; i < nwsaddr; i++) {
3911             if (qio_net_listener_open_sync(vd->wslistener,
3912                                            wsaddr[i], 1,
3913                                            errp) < 0)  {
3914                 return -1;
3915             }
3916         }
3917 
3918         qio_net_listener_set_client_func(vd->wslistener,
3919                                          vnc_listen_io, vd, NULL);
3920     }
3921 
3922     return 0;
3923 }
3924 
3925 
3926 void vnc_display_open(const char *id, Error **errp)
3927 {
3928     VncDisplay *vd = vnc_display_find(id);
3929     QemuOpts *opts = qemu_opts_find(&qemu_vnc_opts, id);
3930     SocketAddress **saddr = NULL, **wsaddr = NULL;
3931     size_t nsaddr, nwsaddr;
3932     const char *share, *device_id;
3933     QemuConsole *con;
3934     bool password = false;
3935     bool reverse = false;
3936     const char *credid;
3937     bool sasl = false;
3938     int acl = 0;
3939     const char *tlsauthz;
3940     const char *saslauthz;
3941     int lock_key_sync = 1;
3942     int key_delay_ms;
3943     const char *audiodev;
3944 
3945     if (!vd) {
3946         error_setg(errp, "VNC display not active");
3947         return;
3948     }
3949     vnc_display_close(vd);
3950 
3951     if (!opts) {
3952         return;
3953     }
3954 
3955     reverse = qemu_opt_get_bool(opts, "reverse", false);
3956     if (vnc_display_get_addresses(opts, reverse, &saddr, &nsaddr,
3957                                   &wsaddr, &nwsaddr, errp) < 0) {
3958         goto fail;
3959     }
3960 
3961     password = qemu_opt_get_bool(opts, "password", false);
3962     if (password) {
3963         if (fips_get_state()) {
3964             error_setg(errp,
3965                        "VNC password auth disabled due to FIPS mode, "
3966                        "consider using the VeNCrypt or SASL authentication "
3967                        "methods as an alternative");
3968             goto fail;
3969         }
3970         if (!qcrypto_cipher_supports(
3971                 QCRYPTO_CIPHER_ALG_DES_RFB, QCRYPTO_CIPHER_MODE_ECB)) {
3972             error_setg(errp,
3973                        "Cipher backend does not support DES RFB algorithm");
3974             goto fail;
3975         }
3976     }
3977 
3978     lock_key_sync = qemu_opt_get_bool(opts, "lock-key-sync", true);
3979     key_delay_ms = qemu_opt_get_number(opts, "key-delay-ms", 10);
3980     sasl = qemu_opt_get_bool(opts, "sasl", false);
3981 #ifndef CONFIG_VNC_SASL
3982     if (sasl) {
3983         error_setg(errp, "VNC SASL auth requires cyrus-sasl support");
3984         goto fail;
3985     }
3986 #endif /* CONFIG_VNC_SASL */
3987     credid = qemu_opt_get(opts, "tls-creds");
3988     if (credid) {
3989         Object *creds;
3990         creds = object_resolve_path_component(
3991             object_get_objects_root(), credid);
3992         if (!creds) {
3993             error_setg(errp, "No TLS credentials with id '%s'",
3994                        credid);
3995             goto fail;
3996         }
3997         vd->tlscreds = (QCryptoTLSCreds *)
3998             object_dynamic_cast(creds,
3999                                 TYPE_QCRYPTO_TLS_CREDS);
4000         if (!vd->tlscreds) {
4001             error_setg(errp, "Object with id '%s' is not TLS credentials",
4002                        credid);
4003             goto fail;
4004         }
4005         object_ref(OBJECT(vd->tlscreds));
4006 
4007         if (vd->tlscreds->endpoint != QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) {
4008             error_setg(errp,
4009                        "Expecting TLS credentials with a server endpoint");
4010             goto fail;
4011         }
4012     }
4013     if (qemu_opt_get(opts, "acl")) {
4014         error_report("The 'acl' option to -vnc is deprecated. "
4015                      "Please use the 'tls-authz' and 'sasl-authz' "
4016                      "options instead");
4017     }
4018     acl = qemu_opt_get_bool(opts, "acl", false);
4019     tlsauthz = qemu_opt_get(opts, "tls-authz");
4020     if (acl && tlsauthz) {
4021         error_setg(errp, "'acl' option is mutually exclusive with the "
4022                    "'tls-authz' option");
4023         goto fail;
4024     }
4025     if (tlsauthz && !vd->tlscreds) {
4026         error_setg(errp, "'tls-authz' provided but TLS is not enabled");
4027         goto fail;
4028     }
4029 
4030     saslauthz = qemu_opt_get(opts, "sasl-authz");
4031     if (acl && saslauthz) {
4032         error_setg(errp, "'acl' option is mutually exclusive with the "
4033                    "'sasl-authz' option");
4034         goto fail;
4035     }
4036     if (saslauthz && !sasl) {
4037         error_setg(errp, "'sasl-authz' provided but SASL auth is not enabled");
4038         goto fail;
4039     }
4040 
4041     share = qemu_opt_get(opts, "share");
4042     if (share) {
4043         if (strcmp(share, "ignore") == 0) {
4044             vd->share_policy = VNC_SHARE_POLICY_IGNORE;
4045         } else if (strcmp(share, "allow-exclusive") == 0) {
4046             vd->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
4047         } else if (strcmp(share, "force-shared") == 0) {
4048             vd->share_policy = VNC_SHARE_POLICY_FORCE_SHARED;
4049         } else {
4050             error_setg(errp, "unknown vnc share= option");
4051             goto fail;
4052         }
4053     } else {
4054         vd->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
4055     }
4056     vd->connections_limit = qemu_opt_get_number(opts, "connections", 32);
4057 
4058 #ifdef CONFIG_VNC_JPEG
4059     vd->lossy = qemu_opt_get_bool(opts, "lossy", false);
4060 #endif
4061     vd->non_adaptive = qemu_opt_get_bool(opts, "non-adaptive", false);
4062     /* adaptive updates are only used with tight encoding and
4063      * if lossy updates are enabled so we can disable all the
4064      * calculations otherwise */
4065     if (!vd->lossy) {
4066         vd->non_adaptive = true;
4067     }
4068 
4069     vd->power_control = qemu_opt_get_bool(opts, "power-control", false);
4070 
4071     if (tlsauthz) {
4072         vd->tlsauthzid = g_strdup(tlsauthz);
4073     } else if (acl) {
4074         if (strcmp(vd->id, "default") == 0) {
4075             vd->tlsauthzid = g_strdup("vnc.x509dname");
4076         } else {
4077             vd->tlsauthzid = g_strdup_printf("vnc.%s.x509dname", vd->id);
4078         }
4079         vd->tlsauthz = QAUTHZ(qauthz_list_new(vd->tlsauthzid,
4080                                               QAUTHZ_LIST_POLICY_DENY,
4081                                               &error_abort));
4082     }
4083 #ifdef CONFIG_VNC_SASL
4084     if (sasl) {
4085         if (saslauthz) {
4086             vd->sasl.authzid = g_strdup(saslauthz);
4087         } else if (acl) {
4088             if (strcmp(vd->id, "default") == 0) {
4089                 vd->sasl.authzid = g_strdup("vnc.username");
4090             } else {
4091                 vd->sasl.authzid = g_strdup_printf("vnc.%s.username", vd->id);
4092             }
4093             vd->sasl.authz = QAUTHZ(qauthz_list_new(vd->sasl.authzid,
4094                                                     QAUTHZ_LIST_POLICY_DENY,
4095                                                     &error_abort));
4096         }
4097     }
4098 #endif
4099 
4100     if (vnc_display_setup_auth(&vd->auth, &vd->subauth,
4101                                vd->tlscreds, password,
4102                                sasl, false, errp) < 0) {
4103         goto fail;
4104     }
4105     trace_vnc_auth_init(vd, 0, vd->auth, vd->subauth);
4106 
4107     if (vnc_display_setup_auth(&vd->ws_auth, &vd->ws_subauth,
4108                                vd->tlscreds, password,
4109                                sasl, true, errp) < 0) {
4110         goto fail;
4111     }
4112     trace_vnc_auth_init(vd, 1, vd->ws_auth, vd->ws_subauth);
4113 
4114 #ifdef CONFIG_VNC_SASL
4115     if (sasl) {
4116         int saslErr = sasl_server_init(NULL, "qemu");
4117 
4118         if (saslErr != SASL_OK) {
4119             error_setg(errp, "Failed to initialize SASL auth: %s",
4120                        sasl_errstring(saslErr, NULL, NULL));
4121             goto fail;
4122         }
4123     }
4124 #endif
4125     vd->lock_key_sync = lock_key_sync;
4126     if (lock_key_sync) {
4127         vd->led = qemu_add_led_event_handler(kbd_leds, vd);
4128     }
4129     vd->ledstate = 0;
4130 
4131     audiodev = qemu_opt_get(opts, "audiodev");
4132     if (audiodev) {
4133         vd->audio_state = audio_state_by_name(audiodev);
4134         if (!vd->audio_state) {
4135             error_setg(errp, "Audiodev '%s' not found", audiodev);
4136             goto fail;
4137         }
4138     }
4139 
4140     device_id = qemu_opt_get(opts, "display");
4141     if (device_id) {
4142         int head = qemu_opt_get_number(opts, "head", 0);
4143         Error *err = NULL;
4144 
4145         con = qemu_console_lookup_by_device_name(device_id, head, &err);
4146         if (err) {
4147             error_propagate(errp, err);
4148             goto fail;
4149         }
4150     } else {
4151         con = NULL;
4152     }
4153 
4154     if (con != vd->dcl.con) {
4155         qkbd_state_free(vd->kbd);
4156         unregister_displaychangelistener(&vd->dcl);
4157         vd->dcl.con = con;
4158         register_displaychangelistener(&vd->dcl);
4159         vd->kbd = qkbd_state_init(vd->dcl.con);
4160     }
4161     qkbd_state_set_delay(vd->kbd, key_delay_ms);
4162 
4163     if (saddr == NULL) {
4164         goto cleanup;
4165     }
4166 
4167     if (reverse) {
4168         if (vnc_display_connect(vd, saddr, nsaddr, wsaddr, nwsaddr, errp) < 0) {
4169             goto fail;
4170         }
4171     } else {
4172         if (vnc_display_listen(vd, saddr, nsaddr, wsaddr, nwsaddr, errp) < 0) {
4173             goto fail;
4174         }
4175     }
4176 
4177     if (qemu_opt_get(opts, "to")) {
4178         vnc_display_print_local_addr(vd);
4179     }
4180 
4181  cleanup:
4182     vnc_free_addresses(&saddr, &nsaddr);
4183     vnc_free_addresses(&wsaddr, &nwsaddr);
4184     return;
4185 
4186 fail:
4187     vnc_display_close(vd);
4188     goto cleanup;
4189 }
4190 
4191 void vnc_display_add_client(const char *id, int csock, bool skipauth)
4192 {
4193     VncDisplay *vd = vnc_display_find(id);
4194     QIOChannelSocket *sioc;
4195 
4196     if (!vd) {
4197         return;
4198     }
4199 
4200     sioc = qio_channel_socket_new_fd(csock, NULL);
4201     if (sioc) {
4202         qio_channel_set_name(QIO_CHANNEL(sioc), "vnc-server");
4203         vnc_connect(vd, sioc, skipauth, false);
4204         object_unref(OBJECT(sioc));
4205     }
4206 }
4207 
4208 static void vnc_auto_assign_id(QemuOptsList *olist, QemuOpts *opts)
4209 {
4210     int i = 2;
4211     char *id;
4212 
4213     id = g_strdup("default");
4214     while (qemu_opts_find(olist, id)) {
4215         g_free(id);
4216         id = g_strdup_printf("vnc%d", i++);
4217     }
4218     qemu_opts_set_id(opts, id);
4219 }
4220 
4221 void vnc_parse(const char *str)
4222 {
4223     QemuOptsList *olist = qemu_find_opts("vnc");
4224     QemuOpts *opts = qemu_opts_parse_noisily(olist, str, !is_help_option(str));
4225     const char *id;
4226 
4227     if (!opts) {
4228         exit(1);
4229     }
4230 
4231     id = qemu_opts_id(opts);
4232     if (!id) {
4233         /* auto-assign id if not present */
4234         vnc_auto_assign_id(olist, opts);
4235     }
4236 }
4237 
4238 int vnc_init_func(void *opaque, QemuOpts *opts, Error **errp)
4239 {
4240     Error *local_err = NULL;
4241     char *id = (char *)qemu_opts_id(opts);
4242 
4243     assert(id);
4244     vnc_display_init(id, &local_err);
4245     if (local_err) {
4246         error_propagate(errp, local_err);
4247         return -1;
4248     }
4249     vnc_display_open(id, &local_err);
4250     if (local_err != NULL) {
4251         error_propagate(errp, local_err);
4252         return -1;
4253     }
4254     return 0;
4255 }
4256 
4257 static void vnc_register_config(void)
4258 {
4259     qemu_add_opts(&qemu_vnc_opts);
4260 }
4261 opts_init(vnc_register_config);
4262