xref: /openbmc/qemu/ui/vnc.c (revision f1f7e4bf)
1 /*
2  * QEMU VNC display driver
3  *
4  * Copyright (C) 2006 Anthony Liguori <anthony@codemonkey.ws>
5  * Copyright (C) 2006 Fabrice Bellard
6  * Copyright (C) 2009 Red Hat, Inc
7  *
8  * Permission is hereby granted, free of charge, to any person obtaining a copy
9  * of this software and associated documentation files (the "Software"), to deal
10  * in the Software without restriction, including without limitation the rights
11  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
12  * copies of the Software, and to permit persons to whom the Software is
13  * furnished to do so, subject to the following conditions:
14  *
15  * The above copyright notice and this permission notice shall be included in
16  * all copies or substantial portions of the Software.
17  *
18  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
19  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
20  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
21  * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
22  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
23  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
24  * THE SOFTWARE.
25  */
26 
27 #include "vnc.h"
28 #include "vnc-jobs.h"
29 #include "trace.h"
30 #include "hw/qdev.h"
31 #include "sysemu/sysemu.h"
32 #include "qemu/error-report.h"
33 #include "qemu/sockets.h"
34 #include "qemu/timer.h"
35 #include "qemu/acl.h"
36 #include "qemu/config-file.h"
37 #include "qapi/qmp/qerror.h"
38 #include "qapi/qmp/types.h"
39 #include "qmp-commands.h"
40 #include "qemu/osdep.h"
41 #include "ui/input.h"
42 #include "qapi-event.h"
43 #include "crypto/hash.h"
44 #include "crypto/tlscredsanon.h"
45 #include "crypto/tlscredsx509.h"
46 #include "qom/object_interfaces.h"
47 
48 #define VNC_REFRESH_INTERVAL_BASE GUI_REFRESH_INTERVAL_DEFAULT
49 #define VNC_REFRESH_INTERVAL_INC  50
50 #define VNC_REFRESH_INTERVAL_MAX  GUI_REFRESH_INTERVAL_IDLE
51 static const struct timeval VNC_REFRESH_STATS = { 0, 500000 };
52 static const struct timeval VNC_REFRESH_LOSSY = { 2, 0 };
53 
54 #include "vnc_keysym.h"
55 #include "crypto/cipher.h"
56 
57 static QTAILQ_HEAD(, VncDisplay) vnc_displays =
58     QTAILQ_HEAD_INITIALIZER(vnc_displays);
59 
60 static int vnc_cursor_define(VncState *vs);
61 static void vnc_release_modifiers(VncState *vs);
62 
63 static void vnc_set_share_mode(VncState *vs, VncShareMode mode)
64 {
65 #ifdef _VNC_DEBUG
66     static const char *mn[] = {
67         [0]                           = "undefined",
68         [VNC_SHARE_MODE_CONNECTING]   = "connecting",
69         [VNC_SHARE_MODE_SHARED]       = "shared",
70         [VNC_SHARE_MODE_EXCLUSIVE]    = "exclusive",
71         [VNC_SHARE_MODE_DISCONNECTED] = "disconnected",
72     };
73     fprintf(stderr, "%s/%d: %s -> %s\n", __func__,
74             vs->csock, mn[vs->share_mode], mn[mode]);
75 #endif
76 
77     switch (vs->share_mode) {
78     case VNC_SHARE_MODE_CONNECTING:
79         vs->vd->num_connecting--;
80         break;
81     case VNC_SHARE_MODE_SHARED:
82         vs->vd->num_shared--;
83         break;
84     case VNC_SHARE_MODE_EXCLUSIVE:
85         vs->vd->num_exclusive--;
86         break;
87     default:
88         break;
89     }
90 
91     vs->share_mode = mode;
92 
93     switch (vs->share_mode) {
94     case VNC_SHARE_MODE_CONNECTING:
95         vs->vd->num_connecting++;
96         break;
97     case VNC_SHARE_MODE_SHARED:
98         vs->vd->num_shared++;
99         break;
100     case VNC_SHARE_MODE_EXCLUSIVE:
101         vs->vd->num_exclusive++;
102         break;
103     default:
104         break;
105     }
106 }
107 
108 static char *addr_to_string(const char *format,
109                             struct sockaddr_storage *sa,
110                             socklen_t salen) {
111     char *addr;
112     char host[NI_MAXHOST];
113     char serv[NI_MAXSERV];
114     int err;
115     size_t addrlen;
116 
117     if ((err = getnameinfo((struct sockaddr *)sa, salen,
118                            host, sizeof(host),
119                            serv, sizeof(serv),
120                            NI_NUMERICHOST | NI_NUMERICSERV)) != 0) {
121         VNC_DEBUG("Cannot resolve address %d: %s\n",
122                   err, gai_strerror(err));
123         return NULL;
124     }
125 
126     /* Enough for the existing format + the 2 vars we're
127      * substituting in. */
128     addrlen = strlen(format) + strlen(host) + strlen(serv);
129     addr = g_malloc(addrlen + 1);
130     snprintf(addr, addrlen, format, host, serv);
131     addr[addrlen] = '\0';
132 
133     return addr;
134 }
135 
136 
137 char *vnc_socket_local_addr(const char *format, int fd) {
138     struct sockaddr_storage sa;
139     socklen_t salen;
140 
141     salen = sizeof(sa);
142     if (getsockname(fd, (struct sockaddr*)&sa, &salen) < 0)
143         return NULL;
144 
145     return addr_to_string(format, &sa, salen);
146 }
147 
148 char *vnc_socket_remote_addr(const char *format, int fd) {
149     struct sockaddr_storage sa;
150     socklen_t salen;
151 
152     salen = sizeof(sa);
153     if (getpeername(fd, (struct sockaddr*)&sa, &salen) < 0)
154         return NULL;
155 
156     return addr_to_string(format, &sa, salen);
157 }
158 
159 static void vnc_init_basic_info(struct sockaddr_storage *sa,
160                                 socklen_t salen,
161                                 VncBasicInfo *info,
162                                 Error **errp)
163 {
164     char host[NI_MAXHOST];
165     char serv[NI_MAXSERV];
166     int err;
167 
168     if ((err = getnameinfo((struct sockaddr *)sa, salen,
169                            host, sizeof(host),
170                            serv, sizeof(serv),
171                            NI_NUMERICHOST | NI_NUMERICSERV)) != 0) {
172         error_setg(errp, "Cannot resolve address: %s",
173                    gai_strerror(err));
174         return;
175     }
176 
177     info->host = g_strdup(host);
178     info->service = g_strdup(serv);
179     info->family = inet_netfamily(sa->ss_family);
180 }
181 
182 static void vnc_init_basic_info_from_server_addr(int fd, VncBasicInfo *info,
183                                                  Error **errp)
184 {
185     struct sockaddr_storage sa;
186     socklen_t salen;
187 
188     salen = sizeof(sa);
189     if (getsockname(fd, (struct sockaddr*)&sa, &salen) < 0) {
190         error_setg_errno(errp, errno, "getsockname failed");
191         return;
192     }
193 
194     vnc_init_basic_info(&sa, salen, info, errp);
195 }
196 
197 static void vnc_init_basic_info_from_remote_addr(int fd, VncBasicInfo *info,
198                                                  Error **errp)
199 {
200     struct sockaddr_storage sa;
201     socklen_t salen;
202 
203     salen = sizeof(sa);
204     if (getpeername(fd, (struct sockaddr*)&sa, &salen) < 0) {
205         error_setg_errno(errp, errno, "getpeername failed");
206         return;
207     }
208 
209     vnc_init_basic_info(&sa, salen, info, errp);
210 }
211 
212 static const char *vnc_auth_name(VncDisplay *vd) {
213     switch (vd->auth) {
214     case VNC_AUTH_INVALID:
215         return "invalid";
216     case VNC_AUTH_NONE:
217         return "none";
218     case VNC_AUTH_VNC:
219         return "vnc";
220     case VNC_AUTH_RA2:
221         return "ra2";
222     case VNC_AUTH_RA2NE:
223         return "ra2ne";
224     case VNC_AUTH_TIGHT:
225         return "tight";
226     case VNC_AUTH_ULTRA:
227         return "ultra";
228     case VNC_AUTH_TLS:
229         return "tls";
230     case VNC_AUTH_VENCRYPT:
231         switch (vd->subauth) {
232         case VNC_AUTH_VENCRYPT_PLAIN:
233             return "vencrypt+plain";
234         case VNC_AUTH_VENCRYPT_TLSNONE:
235             return "vencrypt+tls+none";
236         case VNC_AUTH_VENCRYPT_TLSVNC:
237             return "vencrypt+tls+vnc";
238         case VNC_AUTH_VENCRYPT_TLSPLAIN:
239             return "vencrypt+tls+plain";
240         case VNC_AUTH_VENCRYPT_X509NONE:
241             return "vencrypt+x509+none";
242         case VNC_AUTH_VENCRYPT_X509VNC:
243             return "vencrypt+x509+vnc";
244         case VNC_AUTH_VENCRYPT_X509PLAIN:
245             return "vencrypt+x509+plain";
246         case VNC_AUTH_VENCRYPT_TLSSASL:
247             return "vencrypt+tls+sasl";
248         case VNC_AUTH_VENCRYPT_X509SASL:
249             return "vencrypt+x509+sasl";
250         default:
251             return "vencrypt";
252         }
253     case VNC_AUTH_SASL:
254         return "sasl";
255     }
256     return "unknown";
257 }
258 
259 static VncServerInfo *vnc_server_info_get(VncDisplay *vd)
260 {
261     VncServerInfo *info;
262     Error *err = NULL;
263 
264     info = g_malloc(sizeof(*info));
265     vnc_init_basic_info_from_server_addr(vd->lsock,
266                                          qapi_VncServerInfo_base(info), &err);
267     info->has_auth = true;
268     info->auth = g_strdup(vnc_auth_name(vd));
269     if (err) {
270         qapi_free_VncServerInfo(info);
271         info = NULL;
272         error_free(err);
273     }
274     return info;
275 }
276 
277 static void vnc_client_cache_auth(VncState *client)
278 {
279     if (!client->info) {
280         return;
281     }
282 
283     if (client->tls) {
284         client->info->x509_dname =
285             qcrypto_tls_session_get_peer_name(client->tls);
286         client->info->has_x509_dname =
287             client->info->x509_dname != NULL;
288     }
289 #ifdef CONFIG_VNC_SASL
290     if (client->sasl.conn &&
291         client->sasl.username) {
292         client->info->has_sasl_username = true;
293         client->info->sasl_username = g_strdup(client->sasl.username);
294     }
295 #endif
296 }
297 
298 static void vnc_client_cache_addr(VncState *client)
299 {
300     Error *err = NULL;
301 
302     client->info = g_malloc0(sizeof(*client->info));
303     vnc_init_basic_info_from_remote_addr(client->csock,
304                                          qapi_VncClientInfo_base(client->info),
305                                          &err);
306     if (err) {
307         qapi_free_VncClientInfo(client->info);
308         client->info = NULL;
309         error_free(err);
310     }
311 }
312 
313 static void vnc_qmp_event(VncState *vs, QAPIEvent event)
314 {
315     VncServerInfo *si;
316 
317     if (!vs->info) {
318         return;
319     }
320 
321     si = vnc_server_info_get(vs->vd);
322     if (!si) {
323         return;
324     }
325 
326     switch (event) {
327     case QAPI_EVENT_VNC_CONNECTED:
328         qapi_event_send_vnc_connected(si, qapi_VncClientInfo_base(vs->info),
329                                       &error_abort);
330         break;
331     case QAPI_EVENT_VNC_INITIALIZED:
332         qapi_event_send_vnc_initialized(si, vs->info, &error_abort);
333         break;
334     case QAPI_EVENT_VNC_DISCONNECTED:
335         qapi_event_send_vnc_disconnected(si, vs->info, &error_abort);
336         break;
337     default:
338         break;
339     }
340 
341     qapi_free_VncServerInfo(si);
342 }
343 
344 static VncClientInfo *qmp_query_vnc_client(const VncState *client)
345 {
346     struct sockaddr_storage sa;
347     socklen_t salen = sizeof(sa);
348     char host[NI_MAXHOST];
349     char serv[NI_MAXSERV];
350     VncClientInfo *info;
351 
352     if (getpeername(client->csock, (struct sockaddr *)&sa, &salen) < 0) {
353         return NULL;
354     }
355 
356     if (getnameinfo((struct sockaddr *)&sa, salen,
357                     host, sizeof(host),
358                     serv, sizeof(serv),
359                     NI_NUMERICHOST | NI_NUMERICSERV) < 0) {
360         return NULL;
361     }
362 
363     info = g_malloc0(sizeof(*info));
364     info->host = g_strdup(host);
365     info->service = g_strdup(serv);
366     info->family = inet_netfamily(sa.ss_family);
367     info->websocket = client->websocket;
368 
369     if (client->tls) {
370         info->x509_dname = qcrypto_tls_session_get_peer_name(client->tls);
371         info->has_x509_dname = info->x509_dname != NULL;
372     }
373 #ifdef CONFIG_VNC_SASL
374     if (client->sasl.conn && client->sasl.username) {
375         info->has_sasl_username = true;
376         info->sasl_username = g_strdup(client->sasl.username);
377     }
378 #endif
379 
380     return info;
381 }
382 
383 static VncDisplay *vnc_display_find(const char *id)
384 {
385     VncDisplay *vd;
386 
387     if (id == NULL) {
388         return QTAILQ_FIRST(&vnc_displays);
389     }
390     QTAILQ_FOREACH(vd, &vnc_displays, next) {
391         if (strcmp(id, vd->id) == 0) {
392             return vd;
393         }
394     }
395     return NULL;
396 }
397 
398 static VncClientInfoList *qmp_query_client_list(VncDisplay *vd)
399 {
400     VncClientInfoList *cinfo, *prev = NULL;
401     VncState *client;
402 
403     QTAILQ_FOREACH(client, &vd->clients, next) {
404         cinfo = g_new0(VncClientInfoList, 1);
405         cinfo->value = qmp_query_vnc_client(client);
406         cinfo->next = prev;
407         prev = cinfo;
408     }
409     return prev;
410 }
411 
412 VncInfo *qmp_query_vnc(Error **errp)
413 {
414     VncInfo *info = g_malloc0(sizeof(*info));
415     VncDisplay *vd = vnc_display_find(NULL);
416 
417     if (vd == NULL || !vd->enabled) {
418         info->enabled = false;
419     } else {
420         struct sockaddr_storage sa;
421         socklen_t salen = sizeof(sa);
422         char host[NI_MAXHOST];
423         char serv[NI_MAXSERV];
424 
425         info->enabled = true;
426 
427         /* for compatibility with the original command */
428         info->has_clients = true;
429         info->clients = qmp_query_client_list(vd);
430 
431         if (vd->lsock == -1) {
432             return info;
433         }
434 
435         if (getsockname(vd->lsock, (struct sockaddr *)&sa,
436                         &salen) == -1) {
437             error_setg(errp, QERR_UNDEFINED_ERROR);
438             goto out_error;
439         }
440 
441         if (getnameinfo((struct sockaddr *)&sa, salen,
442                         host, sizeof(host),
443                         serv, sizeof(serv),
444                         NI_NUMERICHOST | NI_NUMERICSERV) < 0) {
445             error_setg(errp, QERR_UNDEFINED_ERROR);
446             goto out_error;
447         }
448 
449         info->has_host = true;
450         info->host = g_strdup(host);
451 
452         info->has_service = true;
453         info->service = g_strdup(serv);
454 
455         info->has_family = true;
456         info->family = inet_netfamily(sa.ss_family);
457 
458         info->has_auth = true;
459         info->auth = g_strdup(vnc_auth_name(vd));
460     }
461 
462     return info;
463 
464 out_error:
465     qapi_free_VncInfo(info);
466     return NULL;
467 }
468 
469 static VncBasicInfoList *qmp_query_server_entry(int socket,
470                                                 bool websocket,
471                                                 VncBasicInfoList *prev)
472 {
473     VncBasicInfoList *list;
474     VncBasicInfo *info;
475     struct sockaddr_storage sa;
476     socklen_t salen = sizeof(sa);
477     char host[NI_MAXHOST];
478     char serv[NI_MAXSERV];
479 
480     if (getsockname(socket, (struct sockaddr *)&sa, &salen) < 0 ||
481         getnameinfo((struct sockaddr *)&sa, salen,
482                     host, sizeof(host), serv, sizeof(serv),
483                     NI_NUMERICHOST | NI_NUMERICSERV) < 0) {
484         return prev;
485     }
486 
487     info = g_new0(VncBasicInfo, 1);
488     info->host = g_strdup(host);
489     info->service = g_strdup(serv);
490     info->family = inet_netfamily(sa.ss_family);
491     info->websocket = websocket;
492 
493     list = g_new0(VncBasicInfoList, 1);
494     list->value = info;
495     list->next = prev;
496     return list;
497 }
498 
499 static void qmp_query_auth(VncDisplay *vd, VncInfo2 *info)
500 {
501     switch (vd->auth) {
502     case VNC_AUTH_VNC:
503         info->auth = VNC_PRIMARY_AUTH_VNC;
504         break;
505     case VNC_AUTH_RA2:
506         info->auth = VNC_PRIMARY_AUTH_RA2;
507         break;
508     case VNC_AUTH_RA2NE:
509         info->auth = VNC_PRIMARY_AUTH_RA2NE;
510         break;
511     case VNC_AUTH_TIGHT:
512         info->auth = VNC_PRIMARY_AUTH_TIGHT;
513         break;
514     case VNC_AUTH_ULTRA:
515         info->auth = VNC_PRIMARY_AUTH_ULTRA;
516         break;
517     case VNC_AUTH_TLS:
518         info->auth = VNC_PRIMARY_AUTH_TLS;
519         break;
520     case VNC_AUTH_VENCRYPT:
521         info->auth = VNC_PRIMARY_AUTH_VENCRYPT;
522         info->has_vencrypt = true;
523         switch (vd->subauth) {
524         case VNC_AUTH_VENCRYPT_PLAIN:
525             info->vencrypt = VNC_VENCRYPT_SUB_AUTH_PLAIN;
526             break;
527         case VNC_AUTH_VENCRYPT_TLSNONE:
528             info->vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_NONE;
529             break;
530         case VNC_AUTH_VENCRYPT_TLSVNC:
531             info->vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_VNC;
532             break;
533         case VNC_AUTH_VENCRYPT_TLSPLAIN:
534             info->vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_PLAIN;
535             break;
536         case VNC_AUTH_VENCRYPT_X509NONE:
537             info->vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_NONE;
538             break;
539         case VNC_AUTH_VENCRYPT_X509VNC:
540             info->vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_VNC;
541             break;
542         case VNC_AUTH_VENCRYPT_X509PLAIN:
543             info->vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_PLAIN;
544             break;
545         case VNC_AUTH_VENCRYPT_TLSSASL:
546             info->vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_SASL;
547             break;
548         case VNC_AUTH_VENCRYPT_X509SASL:
549             info->vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_SASL;
550             break;
551         default:
552             info->has_vencrypt = false;
553             break;
554         }
555         break;
556     case VNC_AUTH_SASL:
557         info->auth = VNC_PRIMARY_AUTH_SASL;
558         break;
559     case VNC_AUTH_NONE:
560     default:
561         info->auth = VNC_PRIMARY_AUTH_NONE;
562         break;
563     }
564 }
565 
566 VncInfo2List *qmp_query_vnc_servers(Error **errp)
567 {
568     VncInfo2List *item, *prev = NULL;
569     VncInfo2 *info;
570     VncDisplay *vd;
571     DeviceState *dev;
572 
573     QTAILQ_FOREACH(vd, &vnc_displays, next) {
574         info = g_new0(VncInfo2, 1);
575         info->id = g_strdup(vd->id);
576         info->clients = qmp_query_client_list(vd);
577         qmp_query_auth(vd, info);
578         if (vd->dcl.con) {
579             dev = DEVICE(object_property_get_link(OBJECT(vd->dcl.con),
580                                                   "device", NULL));
581             info->has_display = true;
582             info->display = g_strdup(dev->id);
583         }
584         if (vd->lsock != -1) {
585             info->server = qmp_query_server_entry(vd->lsock, false,
586                                                   info->server);
587         }
588         if (vd->lwebsock != -1) {
589             info->server = qmp_query_server_entry(vd->lwebsock, true,
590                                                   info->server);
591         }
592 
593         item = g_new0(VncInfo2List, 1);
594         item->value = info;
595         item->next = prev;
596         prev = item;
597     }
598     return prev;
599 }
600 
601 /* TODO
602    1) Get the queue working for IO.
603    2) there is some weirdness when using the -S option (the screen is grey
604       and not totally invalidated
605    3) resolutions > 1024
606 */
607 
608 static int vnc_update_client(VncState *vs, int has_dirty, bool sync);
609 static void vnc_disconnect_start(VncState *vs);
610 
611 static void vnc_colordepth(VncState *vs);
612 static void framebuffer_update_request(VncState *vs, int incremental,
613                                        int x_position, int y_position,
614                                        int w, int h);
615 static void vnc_refresh(DisplayChangeListener *dcl);
616 static int vnc_refresh_server_surface(VncDisplay *vd);
617 
618 static int vnc_width(VncDisplay *vd)
619 {
620     return MIN(VNC_MAX_WIDTH, ROUND_UP(surface_width(vd->ds),
621                                        VNC_DIRTY_PIXELS_PER_BIT));
622 }
623 
624 static int vnc_height(VncDisplay *vd)
625 {
626     return MIN(VNC_MAX_HEIGHT, surface_height(vd->ds));
627 }
628 
629 static void vnc_set_area_dirty(DECLARE_BITMAP(dirty[VNC_MAX_HEIGHT],
630                                VNC_MAX_WIDTH / VNC_DIRTY_PIXELS_PER_BIT),
631                                VncDisplay *vd,
632                                int x, int y, int w, int h)
633 {
634     int width = vnc_width(vd);
635     int height = vnc_height(vd);
636 
637     /* this is needed this to ensure we updated all affected
638      * blocks if x % VNC_DIRTY_PIXELS_PER_BIT != 0 */
639     w += (x % VNC_DIRTY_PIXELS_PER_BIT);
640     x -= (x % VNC_DIRTY_PIXELS_PER_BIT);
641 
642     x = MIN(x, width);
643     y = MIN(y, height);
644     w = MIN(x + w, width) - x;
645     h = MIN(y + h, height);
646 
647     for (; y < h; y++) {
648         bitmap_set(dirty[y], x / VNC_DIRTY_PIXELS_PER_BIT,
649                    DIV_ROUND_UP(w, VNC_DIRTY_PIXELS_PER_BIT));
650     }
651 }
652 
653 static void vnc_dpy_update(DisplayChangeListener *dcl,
654                            int x, int y, int w, int h)
655 {
656     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
657     struct VncSurface *s = &vd->guest;
658 
659     vnc_set_area_dirty(s->dirty, vd, x, y, w, h);
660 }
661 
662 void vnc_framebuffer_update(VncState *vs, int x, int y, int w, int h,
663                             int32_t encoding)
664 {
665     vnc_write_u16(vs, x);
666     vnc_write_u16(vs, y);
667     vnc_write_u16(vs, w);
668     vnc_write_u16(vs, h);
669 
670     vnc_write_s32(vs, encoding);
671 }
672 
673 
674 static void vnc_desktop_resize(VncState *vs)
675 {
676     if (vs->csock == -1 || !vnc_has_feature(vs, VNC_FEATURE_RESIZE)) {
677         return;
678     }
679     if (vs->client_width == pixman_image_get_width(vs->vd->server) &&
680         vs->client_height == pixman_image_get_height(vs->vd->server)) {
681         return;
682     }
683     vs->client_width = pixman_image_get_width(vs->vd->server);
684     vs->client_height = pixman_image_get_height(vs->vd->server);
685     vnc_lock_output(vs);
686     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
687     vnc_write_u8(vs, 0);
688     vnc_write_u16(vs, 1); /* number of rects */
689     vnc_framebuffer_update(vs, 0, 0, vs->client_width, vs->client_height,
690                            VNC_ENCODING_DESKTOPRESIZE);
691     vnc_unlock_output(vs);
692     vnc_flush(vs);
693 }
694 
695 static void vnc_abort_display_jobs(VncDisplay *vd)
696 {
697     VncState *vs;
698 
699     QTAILQ_FOREACH(vs, &vd->clients, next) {
700         vnc_lock_output(vs);
701         vs->abort = true;
702         vnc_unlock_output(vs);
703     }
704     QTAILQ_FOREACH(vs, &vd->clients, next) {
705         vnc_jobs_join(vs);
706     }
707     QTAILQ_FOREACH(vs, &vd->clients, next) {
708         vnc_lock_output(vs);
709         vs->abort = false;
710         vnc_unlock_output(vs);
711     }
712 }
713 
714 int vnc_server_fb_stride(VncDisplay *vd)
715 {
716     return pixman_image_get_stride(vd->server);
717 }
718 
719 void *vnc_server_fb_ptr(VncDisplay *vd, int x, int y)
720 {
721     uint8_t *ptr;
722 
723     ptr  = (uint8_t *)pixman_image_get_data(vd->server);
724     ptr += y * vnc_server_fb_stride(vd);
725     ptr += x * VNC_SERVER_FB_BYTES;
726     return ptr;
727 }
728 
729 static void vnc_update_server_surface(VncDisplay *vd)
730 {
731     qemu_pixman_image_unref(vd->server);
732     vd->server = NULL;
733 
734     if (QTAILQ_EMPTY(&vd->clients)) {
735         return;
736     }
737 
738     vd->server = pixman_image_create_bits(VNC_SERVER_FB_FORMAT,
739                                           vnc_width(vd),
740                                           vnc_height(vd),
741                                           NULL, 0);
742 }
743 
744 static void vnc_dpy_switch(DisplayChangeListener *dcl,
745                            DisplaySurface *surface)
746 {
747     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
748     VncState *vs;
749     int width, height;
750 
751     vnc_abort_display_jobs(vd);
752     vd->ds = surface;
753 
754     /* server surface */
755     vnc_update_server_surface(vd);
756 
757     /* guest surface */
758     qemu_pixman_image_unref(vd->guest.fb);
759     vd->guest.fb = pixman_image_ref(surface->image);
760     vd->guest.format = surface->format;
761     width = vnc_width(vd);
762     height = vnc_height(vd);
763     memset(vd->guest.dirty, 0x00, sizeof(vd->guest.dirty));
764     vnc_set_area_dirty(vd->guest.dirty, vd, 0, 0,
765                        width, height);
766 
767     QTAILQ_FOREACH(vs, &vd->clients, next) {
768         vnc_colordepth(vs);
769         vnc_desktop_resize(vs);
770         if (vs->vd->cursor) {
771             vnc_cursor_define(vs);
772         }
773         memset(vs->dirty, 0x00, sizeof(vs->dirty));
774         vnc_set_area_dirty(vs->dirty, vd, 0, 0,
775                            width, height);
776     }
777 }
778 
779 /* fastest code */
780 static void vnc_write_pixels_copy(VncState *vs,
781                                   void *pixels, int size)
782 {
783     vnc_write(vs, pixels, size);
784 }
785 
786 /* slowest but generic code. */
787 void vnc_convert_pixel(VncState *vs, uint8_t *buf, uint32_t v)
788 {
789     uint8_t r, g, b;
790 
791 #if VNC_SERVER_FB_FORMAT == PIXMAN_FORMAT(32, PIXMAN_TYPE_ARGB, 0, 8, 8, 8)
792     r = (((v & 0x00ff0000) >> 16) << vs->client_pf.rbits) >> 8;
793     g = (((v & 0x0000ff00) >>  8) << vs->client_pf.gbits) >> 8;
794     b = (((v & 0x000000ff) >>  0) << vs->client_pf.bbits) >> 8;
795 #else
796 # error need some bits here if you change VNC_SERVER_FB_FORMAT
797 #endif
798     v = (r << vs->client_pf.rshift) |
799         (g << vs->client_pf.gshift) |
800         (b << vs->client_pf.bshift);
801     switch (vs->client_pf.bytes_per_pixel) {
802     case 1:
803         buf[0] = v;
804         break;
805     case 2:
806         if (vs->client_be) {
807             buf[0] = v >> 8;
808             buf[1] = v;
809         } else {
810             buf[1] = v >> 8;
811             buf[0] = v;
812         }
813         break;
814     default:
815     case 4:
816         if (vs->client_be) {
817             buf[0] = v >> 24;
818             buf[1] = v >> 16;
819             buf[2] = v >> 8;
820             buf[3] = v;
821         } else {
822             buf[3] = v >> 24;
823             buf[2] = v >> 16;
824             buf[1] = v >> 8;
825             buf[0] = v;
826         }
827         break;
828     }
829 }
830 
831 static void vnc_write_pixels_generic(VncState *vs,
832                                      void *pixels1, int size)
833 {
834     uint8_t buf[4];
835 
836     if (VNC_SERVER_FB_BYTES == 4) {
837         uint32_t *pixels = pixels1;
838         int n, i;
839         n = size >> 2;
840         for (i = 0; i < n; i++) {
841             vnc_convert_pixel(vs, buf, pixels[i]);
842             vnc_write(vs, buf, vs->client_pf.bytes_per_pixel);
843         }
844     }
845 }
846 
847 int vnc_raw_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
848 {
849     int i;
850     uint8_t *row;
851     VncDisplay *vd = vs->vd;
852 
853     row = vnc_server_fb_ptr(vd, x, y);
854     for (i = 0; i < h; i++) {
855         vs->write_pixels(vs, row, w * VNC_SERVER_FB_BYTES);
856         row += vnc_server_fb_stride(vd);
857     }
858     return 1;
859 }
860 
861 int vnc_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
862 {
863     int n = 0;
864     bool encode_raw = false;
865     size_t saved_offs = vs->output.offset;
866 
867     switch(vs->vnc_encoding) {
868         case VNC_ENCODING_ZLIB:
869             n = vnc_zlib_send_framebuffer_update(vs, x, y, w, h);
870             break;
871         case VNC_ENCODING_HEXTILE:
872             vnc_framebuffer_update(vs, x, y, w, h, VNC_ENCODING_HEXTILE);
873             n = vnc_hextile_send_framebuffer_update(vs, x, y, w, h);
874             break;
875         case VNC_ENCODING_TIGHT:
876             n = vnc_tight_send_framebuffer_update(vs, x, y, w, h);
877             break;
878         case VNC_ENCODING_TIGHT_PNG:
879             n = vnc_tight_png_send_framebuffer_update(vs, x, y, w, h);
880             break;
881         case VNC_ENCODING_ZRLE:
882             n = vnc_zrle_send_framebuffer_update(vs, x, y, w, h);
883             break;
884         case VNC_ENCODING_ZYWRLE:
885             n = vnc_zywrle_send_framebuffer_update(vs, x, y, w, h);
886             break;
887         default:
888             encode_raw = true;
889             break;
890     }
891 
892     /* If the client has the same pixel format as our internal buffer and
893      * a RAW encoding would need less space fall back to RAW encoding to
894      * save bandwidth and processing power in the client. */
895     if (!encode_raw && vs->write_pixels == vnc_write_pixels_copy &&
896         12 + h * w * VNC_SERVER_FB_BYTES <= (vs->output.offset - saved_offs)) {
897         vs->output.offset = saved_offs;
898         encode_raw = true;
899     }
900 
901     if (encode_raw) {
902         vnc_framebuffer_update(vs, x, y, w, h, VNC_ENCODING_RAW);
903         n = vnc_raw_send_framebuffer_update(vs, x, y, w, h);
904     }
905 
906     return n;
907 }
908 
909 static void vnc_copy(VncState *vs, int src_x, int src_y, int dst_x, int dst_y, int w, int h)
910 {
911     /* send bitblit op to the vnc client */
912     vnc_lock_output(vs);
913     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
914     vnc_write_u8(vs, 0);
915     vnc_write_u16(vs, 1); /* number of rects */
916     vnc_framebuffer_update(vs, dst_x, dst_y, w, h, VNC_ENCODING_COPYRECT);
917     vnc_write_u16(vs, src_x);
918     vnc_write_u16(vs, src_y);
919     vnc_unlock_output(vs);
920     vnc_flush(vs);
921 }
922 
923 static void vnc_dpy_copy(DisplayChangeListener *dcl,
924                          int src_x, int src_y,
925                          int dst_x, int dst_y, int w, int h)
926 {
927     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
928     VncState *vs, *vn;
929     uint8_t *src_row;
930     uint8_t *dst_row;
931     int i, x, y, pitch, inc, w_lim, s;
932     int cmp_bytes;
933 
934     if (!vd->server) {
935         /* no client connected */
936         return;
937     }
938 
939     vnc_refresh_server_surface(vd);
940     QTAILQ_FOREACH_SAFE(vs, &vd->clients, next, vn) {
941         if (vnc_has_feature(vs, VNC_FEATURE_COPYRECT)) {
942             vs->force_update = 1;
943             vnc_update_client(vs, 1, true);
944             /* vs might be free()ed here */
945         }
946     }
947 
948     /* do bitblit op on the local surface too */
949     pitch = vnc_server_fb_stride(vd);
950     src_row = vnc_server_fb_ptr(vd, src_x, src_y);
951     dst_row = vnc_server_fb_ptr(vd, dst_x, dst_y);
952     y = dst_y;
953     inc = 1;
954     if (dst_y > src_y) {
955         /* copy backwards */
956         src_row += pitch * (h-1);
957         dst_row += pitch * (h-1);
958         pitch = -pitch;
959         y = dst_y + h - 1;
960         inc = -1;
961     }
962     w_lim = w - (VNC_DIRTY_PIXELS_PER_BIT - (dst_x % VNC_DIRTY_PIXELS_PER_BIT));
963     if (w_lim < 0) {
964         w_lim = w;
965     } else {
966         w_lim = w - (w_lim % VNC_DIRTY_PIXELS_PER_BIT);
967     }
968     for (i = 0; i < h; i++) {
969         for (x = 0; x <= w_lim;
970                 x += s, src_row += cmp_bytes, dst_row += cmp_bytes) {
971             if (x == w_lim) {
972                 if ((s = w - w_lim) == 0)
973                     break;
974             } else if (!x) {
975                 s = (VNC_DIRTY_PIXELS_PER_BIT -
976                     (dst_x % VNC_DIRTY_PIXELS_PER_BIT));
977                 s = MIN(s, w_lim);
978             } else {
979                 s = VNC_DIRTY_PIXELS_PER_BIT;
980             }
981             cmp_bytes = s * VNC_SERVER_FB_BYTES;
982             if (memcmp(src_row, dst_row, cmp_bytes) == 0)
983                 continue;
984             memmove(dst_row, src_row, cmp_bytes);
985             QTAILQ_FOREACH(vs, &vd->clients, next) {
986                 if (!vnc_has_feature(vs, VNC_FEATURE_COPYRECT)) {
987                     set_bit(((x + dst_x) / VNC_DIRTY_PIXELS_PER_BIT),
988                             vs->dirty[y]);
989                 }
990             }
991         }
992         src_row += pitch - w * VNC_SERVER_FB_BYTES;
993         dst_row += pitch - w * VNC_SERVER_FB_BYTES;
994         y += inc;
995     }
996 
997     QTAILQ_FOREACH(vs, &vd->clients, next) {
998         if (vnc_has_feature(vs, VNC_FEATURE_COPYRECT)) {
999             vnc_copy(vs, src_x, src_y, dst_x, dst_y, w, h);
1000         }
1001     }
1002 }
1003 
1004 static void vnc_mouse_set(DisplayChangeListener *dcl,
1005                           int x, int y, int visible)
1006 {
1007     /* can we ask the client(s) to move the pointer ??? */
1008 }
1009 
1010 static int vnc_cursor_define(VncState *vs)
1011 {
1012     QEMUCursor *c = vs->vd->cursor;
1013     int isize;
1014 
1015     if (vnc_has_feature(vs, VNC_FEATURE_RICH_CURSOR)) {
1016         vnc_lock_output(vs);
1017         vnc_write_u8(vs,  VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1018         vnc_write_u8(vs,  0);  /*  padding     */
1019         vnc_write_u16(vs, 1);  /*  # of rects  */
1020         vnc_framebuffer_update(vs, c->hot_x, c->hot_y, c->width, c->height,
1021                                VNC_ENCODING_RICH_CURSOR);
1022         isize = c->width * c->height * vs->client_pf.bytes_per_pixel;
1023         vnc_write_pixels_generic(vs, c->data, isize);
1024         vnc_write(vs, vs->vd->cursor_mask, vs->vd->cursor_msize);
1025         vnc_unlock_output(vs);
1026         return 0;
1027     }
1028     return -1;
1029 }
1030 
1031 static void vnc_dpy_cursor_define(DisplayChangeListener *dcl,
1032                                   QEMUCursor *c)
1033 {
1034     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
1035     VncState *vs;
1036 
1037     cursor_put(vd->cursor);
1038     g_free(vd->cursor_mask);
1039 
1040     vd->cursor = c;
1041     cursor_get(vd->cursor);
1042     vd->cursor_msize = cursor_get_mono_bpl(c) * c->height;
1043     vd->cursor_mask = g_malloc0(vd->cursor_msize);
1044     cursor_get_mono_mask(c, 0, vd->cursor_mask);
1045 
1046     QTAILQ_FOREACH(vs, &vd->clients, next) {
1047         vnc_cursor_define(vs);
1048     }
1049 }
1050 
1051 static int find_and_clear_dirty_height(VncState *vs,
1052                                        int y, int last_x, int x, int height)
1053 {
1054     int h;
1055 
1056     for (h = 1; h < (height - y); h++) {
1057         if (!test_bit(last_x, vs->dirty[y + h])) {
1058             break;
1059         }
1060         bitmap_clear(vs->dirty[y + h], last_x, x - last_x);
1061     }
1062 
1063     return h;
1064 }
1065 
1066 static int vnc_update_client(VncState *vs, int has_dirty, bool sync)
1067 {
1068     vs->has_dirty += has_dirty;
1069     if (vs->need_update && vs->csock != -1) {
1070         VncDisplay *vd = vs->vd;
1071         VncJob *job;
1072         int y;
1073         int height, width;
1074         int n = 0;
1075 
1076         if (vs->output.offset && !vs->audio_cap && !vs->force_update)
1077             /* kernel send buffers are full -> drop frames to throttle */
1078             return 0;
1079 
1080         if (!vs->has_dirty && !vs->audio_cap && !vs->force_update)
1081             return 0;
1082 
1083         /*
1084          * Send screen updates to the vnc client using the server
1085          * surface and server dirty map.  guest surface updates
1086          * happening in parallel don't disturb us, the next pass will
1087          * send them to the client.
1088          */
1089         job = vnc_job_new(vs);
1090 
1091         height = pixman_image_get_height(vd->server);
1092         width = pixman_image_get_width(vd->server);
1093 
1094         y = 0;
1095         for (;;) {
1096             int x, h;
1097             unsigned long x2;
1098             unsigned long offset = find_next_bit((unsigned long *) &vs->dirty,
1099                                                  height * VNC_DIRTY_BPL(vs),
1100                                                  y * VNC_DIRTY_BPL(vs));
1101             if (offset == height * VNC_DIRTY_BPL(vs)) {
1102                 /* no more dirty bits */
1103                 break;
1104             }
1105             y = offset / VNC_DIRTY_BPL(vs);
1106             x = offset % VNC_DIRTY_BPL(vs);
1107             x2 = find_next_zero_bit((unsigned long *) &vs->dirty[y],
1108                                     VNC_DIRTY_BPL(vs), x);
1109             bitmap_clear(vs->dirty[y], x, x2 - x);
1110             h = find_and_clear_dirty_height(vs, y, x, x2, height);
1111             x2 = MIN(x2, width / VNC_DIRTY_PIXELS_PER_BIT);
1112             if (x2 > x) {
1113                 n += vnc_job_add_rect(job, x * VNC_DIRTY_PIXELS_PER_BIT, y,
1114                                       (x2 - x) * VNC_DIRTY_PIXELS_PER_BIT, h);
1115             }
1116             if (!x && x2 == width / VNC_DIRTY_PIXELS_PER_BIT) {
1117                 y += h;
1118                 if (y == height) {
1119                     break;
1120                 }
1121             }
1122         }
1123 
1124         vnc_job_push(job);
1125         if (sync) {
1126             vnc_jobs_join(vs);
1127         }
1128         vs->force_update = 0;
1129         vs->has_dirty = 0;
1130         return n;
1131     }
1132 
1133     if (vs->csock == -1) {
1134         vnc_disconnect_finish(vs);
1135     } else if (sync) {
1136         vnc_jobs_join(vs);
1137     }
1138 
1139     return 0;
1140 }
1141 
1142 /* audio */
1143 static void audio_capture_notify(void *opaque, audcnotification_e cmd)
1144 {
1145     VncState *vs = opaque;
1146 
1147     switch (cmd) {
1148     case AUD_CNOTIFY_DISABLE:
1149         vnc_lock_output(vs);
1150         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
1151         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
1152         vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_END);
1153         vnc_unlock_output(vs);
1154         vnc_flush(vs);
1155         break;
1156 
1157     case AUD_CNOTIFY_ENABLE:
1158         vnc_lock_output(vs);
1159         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
1160         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
1161         vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_BEGIN);
1162         vnc_unlock_output(vs);
1163         vnc_flush(vs);
1164         break;
1165     }
1166 }
1167 
1168 static void audio_capture_destroy(void *opaque)
1169 {
1170 }
1171 
1172 static void audio_capture(void *opaque, void *buf, int size)
1173 {
1174     VncState *vs = opaque;
1175 
1176     vnc_lock_output(vs);
1177     vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
1178     vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
1179     vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_DATA);
1180     vnc_write_u32(vs, size);
1181     vnc_write(vs, buf, size);
1182     vnc_unlock_output(vs);
1183     vnc_flush(vs);
1184 }
1185 
1186 static void audio_add(VncState *vs)
1187 {
1188     struct audio_capture_ops ops;
1189 
1190     if (vs->audio_cap) {
1191         error_report("audio already running");
1192         return;
1193     }
1194 
1195     ops.notify = audio_capture_notify;
1196     ops.destroy = audio_capture_destroy;
1197     ops.capture = audio_capture;
1198 
1199     vs->audio_cap = AUD_add_capture(&vs->as, &ops, vs);
1200     if (!vs->audio_cap) {
1201         error_report("Failed to add audio capture");
1202     }
1203 }
1204 
1205 static void audio_del(VncState *vs)
1206 {
1207     if (vs->audio_cap) {
1208         AUD_del_capture(vs->audio_cap, vs);
1209         vs->audio_cap = NULL;
1210     }
1211 }
1212 
1213 static void vnc_disconnect_start(VncState *vs)
1214 {
1215     if (vs->csock == -1)
1216         return;
1217     vnc_set_share_mode(vs, VNC_SHARE_MODE_DISCONNECTED);
1218     qemu_set_fd_handler(vs->csock, NULL, NULL, NULL);
1219     closesocket(vs->csock);
1220     vs->csock = -1;
1221 }
1222 
1223 void vnc_disconnect_finish(VncState *vs)
1224 {
1225     int i;
1226 
1227     vnc_jobs_join(vs); /* Wait encoding jobs */
1228 
1229     vnc_lock_output(vs);
1230     vnc_qmp_event(vs, QAPI_EVENT_VNC_DISCONNECTED);
1231 
1232     buffer_free(&vs->input);
1233     buffer_free(&vs->output);
1234     buffer_free(&vs->ws_input);
1235     buffer_free(&vs->ws_output);
1236 
1237     qapi_free_VncClientInfo(vs->info);
1238 
1239     vnc_zlib_clear(vs);
1240     vnc_tight_clear(vs);
1241     vnc_zrle_clear(vs);
1242 
1243     qcrypto_tls_session_free(vs->tls);
1244 #ifdef CONFIG_VNC_SASL
1245     vnc_sasl_client_cleanup(vs);
1246 #endif /* CONFIG_VNC_SASL */
1247     audio_del(vs);
1248     vnc_release_modifiers(vs);
1249 
1250     if (vs->initialized) {
1251         QTAILQ_REMOVE(&vs->vd->clients, vs, next);
1252         qemu_remove_mouse_mode_change_notifier(&vs->mouse_mode_notifier);
1253         if (QTAILQ_EMPTY(&vs->vd->clients)) {
1254             /* last client gone */
1255             vnc_update_server_surface(vs->vd);
1256         }
1257     }
1258 
1259     if (vs->vd->lock_key_sync)
1260         qemu_remove_led_event_handler(vs->led);
1261     vnc_unlock_output(vs);
1262 
1263     qemu_mutex_destroy(&vs->output_mutex);
1264     if (vs->bh != NULL) {
1265         qemu_bh_delete(vs->bh);
1266     }
1267     buffer_free(&vs->jobs_buffer);
1268 
1269     for (i = 0; i < VNC_STAT_ROWS; ++i) {
1270         g_free(vs->lossy_rect[i]);
1271     }
1272     g_free(vs->lossy_rect);
1273     g_free(vs);
1274 }
1275 
1276 ssize_t vnc_client_io_error(VncState *vs, ssize_t ret, int last_errno)
1277 {
1278     if (ret == 0 || ret == -1) {
1279         if (ret == -1) {
1280             switch (last_errno) {
1281                 case EINTR:
1282                 case EAGAIN:
1283 #ifdef _WIN32
1284                 case WSAEWOULDBLOCK:
1285 #endif
1286                     return 0;
1287                 default:
1288                     break;
1289             }
1290         }
1291 
1292         VNC_DEBUG("Closing down client sock: ret %zd, errno %d\n",
1293                   ret, ret < 0 ? last_errno : 0);
1294         vnc_disconnect_start(vs);
1295 
1296         return 0;
1297     }
1298     return ret;
1299 }
1300 
1301 
1302 void vnc_client_error(VncState *vs)
1303 {
1304     VNC_DEBUG("Closing down client sock: protocol error\n");
1305     vnc_disconnect_start(vs);
1306 }
1307 
1308 
1309 ssize_t vnc_tls_pull(char *buf, size_t len, void *opaque)
1310 {
1311     VncState *vs = opaque;
1312     ssize_t ret;
1313 
1314  retry:
1315     ret = qemu_recv(vs->csock, buf, len, 0);
1316     if (ret < 0) {
1317         if (errno == EINTR) {
1318             goto retry;
1319         }
1320         return -1;
1321     }
1322     return ret;
1323 }
1324 
1325 
1326 ssize_t vnc_tls_push(const char *buf, size_t len, void *opaque)
1327 {
1328     VncState *vs = opaque;
1329     ssize_t ret;
1330 
1331  retry:
1332     ret = send(vs->csock, buf, len, 0);
1333     if (ret < 0) {
1334         if (errno == EINTR) {
1335             goto retry;
1336         }
1337         return -1;
1338     }
1339     return ret;
1340 }
1341 
1342 
1343 /*
1344  * Called to write a chunk of data to the client socket. The data may
1345  * be the raw data, or may have already been encoded by SASL.
1346  * The data will be written either straight onto the socket, or
1347  * written via the GNUTLS wrappers, if TLS/SSL encryption is enabled
1348  *
1349  * NB, it is theoretically possible to have 2 layers of encryption,
1350  * both SASL, and this TLS layer. It is highly unlikely in practice
1351  * though, since SASL encryption will typically be a no-op if TLS
1352  * is active
1353  *
1354  * Returns the number of bytes written, which may be less than
1355  * the requested 'datalen' if the socket would block. Returns
1356  * -1 on error, and disconnects the client socket.
1357  */
1358 ssize_t vnc_client_write_buf(VncState *vs, const uint8_t *data, size_t datalen)
1359 {
1360     ssize_t ret;
1361     int err = 0;
1362     if (vs->tls) {
1363         ret = qcrypto_tls_session_write(vs->tls, (const char *)data, datalen);
1364         if (ret < 0) {
1365             err = errno;
1366         }
1367     } else {
1368         ret = send(vs->csock, (const void *)data, datalen, 0);
1369         if (ret < 0) {
1370             err = socket_error();
1371         }
1372     }
1373     VNC_DEBUG("Wrote wire %p %zd -> %ld\n", data, datalen, ret);
1374     return vnc_client_io_error(vs, ret, err);
1375 }
1376 
1377 
1378 /*
1379  * Called to write buffered data to the client socket, when not
1380  * using any SASL SSF encryption layers. Will write as much data
1381  * as possible without blocking. If all buffered data is written,
1382  * will switch the FD poll() handler back to read monitoring.
1383  *
1384  * Returns the number of bytes written, which may be less than
1385  * the buffered output data if the socket would block. Returns
1386  * -1 on error, and disconnects the client socket.
1387  */
1388 static ssize_t vnc_client_write_plain(VncState *vs)
1389 {
1390     ssize_t ret;
1391 
1392 #ifdef CONFIG_VNC_SASL
1393     VNC_DEBUG("Write Plain: Pending output %p size %zd offset %zd. Wait SSF %d\n",
1394               vs->output.buffer, vs->output.capacity, vs->output.offset,
1395               vs->sasl.waitWriteSSF);
1396 
1397     if (vs->sasl.conn &&
1398         vs->sasl.runSSF &&
1399         vs->sasl.waitWriteSSF) {
1400         ret = vnc_client_write_buf(vs, vs->output.buffer, vs->sasl.waitWriteSSF);
1401         if (ret)
1402             vs->sasl.waitWriteSSF -= ret;
1403     } else
1404 #endif /* CONFIG_VNC_SASL */
1405         ret = vnc_client_write_buf(vs, vs->output.buffer, vs->output.offset);
1406     if (!ret)
1407         return 0;
1408 
1409     buffer_advance(&vs->output, ret);
1410 
1411     if (vs->output.offset == 0) {
1412         qemu_set_fd_handler(vs->csock, vnc_client_read, NULL, vs);
1413     }
1414 
1415     return ret;
1416 }
1417 
1418 
1419 /*
1420  * First function called whenever there is data to be written to
1421  * the client socket. Will delegate actual work according to whether
1422  * SASL SSF layers are enabled (thus requiring encryption calls)
1423  */
1424 static void vnc_client_write_locked(void *opaque)
1425 {
1426     VncState *vs = opaque;
1427 
1428 #ifdef CONFIG_VNC_SASL
1429     if (vs->sasl.conn &&
1430         vs->sasl.runSSF &&
1431         !vs->sasl.waitWriteSSF) {
1432         vnc_client_write_sasl(vs);
1433     } else
1434 #endif /* CONFIG_VNC_SASL */
1435     {
1436         if (vs->encode_ws) {
1437             vnc_client_write_ws(vs);
1438         } else {
1439             vnc_client_write_plain(vs);
1440         }
1441     }
1442 }
1443 
1444 void vnc_client_write(void *opaque)
1445 {
1446     VncState *vs = opaque;
1447 
1448     vnc_lock_output(vs);
1449     if (vs->output.offset || vs->ws_output.offset) {
1450         vnc_client_write_locked(opaque);
1451     } else if (vs->csock != -1) {
1452         qemu_set_fd_handler(vs->csock, vnc_client_read, NULL, vs);
1453     }
1454     vnc_unlock_output(vs);
1455 }
1456 
1457 void vnc_read_when(VncState *vs, VncReadEvent *func, size_t expecting)
1458 {
1459     vs->read_handler = func;
1460     vs->read_handler_expect = expecting;
1461 }
1462 
1463 
1464 /*
1465  * Called to read a chunk of data from the client socket. The data may
1466  * be the raw data, or may need to be further decoded by SASL.
1467  * The data will be read either straight from to the socket, or
1468  * read via the GNUTLS wrappers, if TLS/SSL encryption is enabled
1469  *
1470  * NB, it is theoretically possible to have 2 layers of encryption,
1471  * both SASL, and this TLS layer. It is highly unlikely in practice
1472  * though, since SASL encryption will typically be a no-op if TLS
1473  * is active
1474  *
1475  * Returns the number of bytes read, which may be less than
1476  * the requested 'datalen' if the socket would block. Returns
1477  * -1 on error, and disconnects the client socket.
1478  */
1479 ssize_t vnc_client_read_buf(VncState *vs, uint8_t *data, size_t datalen)
1480 {
1481     ssize_t ret;
1482     int err = -1;
1483     if (vs->tls) {
1484         ret = qcrypto_tls_session_read(vs->tls, (char *)data, datalen);
1485         if (ret < 0) {
1486             err = errno;
1487         }
1488     } else {
1489         ret = qemu_recv(vs->csock, data, datalen, 0);
1490         if (ret < 0) {
1491             err = socket_error();
1492         }
1493     }
1494     VNC_DEBUG("Read wire %p %zd -> %ld\n", data, datalen, ret);
1495     return vnc_client_io_error(vs, ret, err);
1496 }
1497 
1498 
1499 /*
1500  * Called to read data from the client socket to the input buffer,
1501  * when not using any SASL SSF encryption layers. Will read as much
1502  * data as possible without blocking.
1503  *
1504  * Returns the number of bytes read. Returns -1 on error, and
1505  * disconnects the client socket.
1506  */
1507 static ssize_t vnc_client_read_plain(VncState *vs)
1508 {
1509     ssize_t ret;
1510     VNC_DEBUG("Read plain %p size %zd offset %zd\n",
1511               vs->input.buffer, vs->input.capacity, vs->input.offset);
1512     buffer_reserve(&vs->input, 4096);
1513     ret = vnc_client_read_buf(vs, buffer_end(&vs->input), 4096);
1514     if (!ret)
1515         return 0;
1516     vs->input.offset += ret;
1517     return ret;
1518 }
1519 
1520 static void vnc_jobs_bh(void *opaque)
1521 {
1522     VncState *vs = opaque;
1523 
1524     vnc_jobs_consume_buffer(vs);
1525 }
1526 
1527 /*
1528  * First function called whenever there is more data to be read from
1529  * the client socket. Will delegate actual work according to whether
1530  * SASL SSF layers are enabled (thus requiring decryption calls)
1531  */
1532 void vnc_client_read(void *opaque)
1533 {
1534     VncState *vs = opaque;
1535     ssize_t ret;
1536 
1537 #ifdef CONFIG_VNC_SASL
1538     if (vs->sasl.conn && vs->sasl.runSSF)
1539         ret = vnc_client_read_sasl(vs);
1540     else
1541 #endif /* CONFIG_VNC_SASL */
1542         if (vs->encode_ws) {
1543             ret = vnc_client_read_ws(vs);
1544             if (ret == -1) {
1545                 vnc_disconnect_start(vs);
1546                 return;
1547             } else if (ret == -2) {
1548                 vnc_client_error(vs);
1549                 return;
1550             }
1551         } else {
1552             ret = vnc_client_read_plain(vs);
1553         }
1554     if (!ret) {
1555         if (vs->csock == -1)
1556             vnc_disconnect_finish(vs);
1557         return;
1558     }
1559 
1560     while (vs->read_handler && vs->input.offset >= vs->read_handler_expect) {
1561         size_t len = vs->read_handler_expect;
1562         int ret;
1563 
1564         ret = vs->read_handler(vs, vs->input.buffer, len);
1565         if (vs->csock == -1) {
1566             vnc_disconnect_finish(vs);
1567             return;
1568         }
1569 
1570         if (!ret) {
1571             buffer_advance(&vs->input, len);
1572         } else {
1573             vs->read_handler_expect = ret;
1574         }
1575     }
1576 }
1577 
1578 void vnc_write(VncState *vs, const void *data, size_t len)
1579 {
1580     buffer_reserve(&vs->output, len);
1581 
1582     if (vs->csock != -1 && buffer_empty(&vs->output)) {
1583         qemu_set_fd_handler(vs->csock, vnc_client_read, vnc_client_write, vs);
1584     }
1585 
1586     buffer_append(&vs->output, data, len);
1587 }
1588 
1589 void vnc_write_s32(VncState *vs, int32_t value)
1590 {
1591     vnc_write_u32(vs, *(uint32_t *)&value);
1592 }
1593 
1594 void vnc_write_u32(VncState *vs, uint32_t value)
1595 {
1596     uint8_t buf[4];
1597 
1598     buf[0] = (value >> 24) & 0xFF;
1599     buf[1] = (value >> 16) & 0xFF;
1600     buf[2] = (value >>  8) & 0xFF;
1601     buf[3] = value & 0xFF;
1602 
1603     vnc_write(vs, buf, 4);
1604 }
1605 
1606 void vnc_write_u16(VncState *vs, uint16_t value)
1607 {
1608     uint8_t buf[2];
1609 
1610     buf[0] = (value >> 8) & 0xFF;
1611     buf[1] = value & 0xFF;
1612 
1613     vnc_write(vs, buf, 2);
1614 }
1615 
1616 void vnc_write_u8(VncState *vs, uint8_t value)
1617 {
1618     vnc_write(vs, (char *)&value, 1);
1619 }
1620 
1621 void vnc_flush(VncState *vs)
1622 {
1623     vnc_lock_output(vs);
1624     if (vs->csock != -1 && (vs->output.offset ||
1625                             vs->ws_output.offset)) {
1626         vnc_client_write_locked(vs);
1627     }
1628     vnc_unlock_output(vs);
1629 }
1630 
1631 static uint8_t read_u8(uint8_t *data, size_t offset)
1632 {
1633     return data[offset];
1634 }
1635 
1636 static uint16_t read_u16(uint8_t *data, size_t offset)
1637 {
1638     return ((data[offset] & 0xFF) << 8) | (data[offset + 1] & 0xFF);
1639 }
1640 
1641 static int32_t read_s32(uint8_t *data, size_t offset)
1642 {
1643     return (int32_t)((data[offset] << 24) | (data[offset + 1] << 16) |
1644                      (data[offset + 2] << 8) | data[offset + 3]);
1645 }
1646 
1647 uint32_t read_u32(uint8_t *data, size_t offset)
1648 {
1649     return ((data[offset] << 24) | (data[offset + 1] << 16) |
1650             (data[offset + 2] << 8) | data[offset + 3]);
1651 }
1652 
1653 static void client_cut_text(VncState *vs, size_t len, uint8_t *text)
1654 {
1655 }
1656 
1657 static void check_pointer_type_change(Notifier *notifier, void *data)
1658 {
1659     VncState *vs = container_of(notifier, VncState, mouse_mode_notifier);
1660     int absolute = qemu_input_is_absolute();
1661 
1662     if (vnc_has_feature(vs, VNC_FEATURE_POINTER_TYPE_CHANGE) && vs->absolute != absolute) {
1663         vnc_lock_output(vs);
1664         vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1665         vnc_write_u8(vs, 0);
1666         vnc_write_u16(vs, 1);
1667         vnc_framebuffer_update(vs, absolute, 0,
1668                                pixman_image_get_width(vs->vd->server),
1669                                pixman_image_get_height(vs->vd->server),
1670                                VNC_ENCODING_POINTER_TYPE_CHANGE);
1671         vnc_unlock_output(vs);
1672         vnc_flush(vs);
1673     }
1674     vs->absolute = absolute;
1675 }
1676 
1677 static void pointer_event(VncState *vs, int button_mask, int x, int y)
1678 {
1679     static uint32_t bmap[INPUT_BUTTON__MAX] = {
1680         [INPUT_BUTTON_LEFT]       = 0x01,
1681         [INPUT_BUTTON_MIDDLE]     = 0x02,
1682         [INPUT_BUTTON_RIGHT]      = 0x04,
1683         [INPUT_BUTTON_WHEELUP]    = 0x08,
1684         [INPUT_BUTTON_WHEELDOWN]  = 0x10,
1685     };
1686     QemuConsole *con = vs->vd->dcl.con;
1687     int width = pixman_image_get_width(vs->vd->server);
1688     int height = pixman_image_get_height(vs->vd->server);
1689 
1690     if (vs->last_bmask != button_mask) {
1691         qemu_input_update_buttons(con, bmap, vs->last_bmask, button_mask);
1692         vs->last_bmask = button_mask;
1693     }
1694 
1695     if (vs->absolute) {
1696         qemu_input_queue_abs(con, INPUT_AXIS_X, x, width);
1697         qemu_input_queue_abs(con, INPUT_AXIS_Y, y, height);
1698     } else if (vnc_has_feature(vs, VNC_FEATURE_POINTER_TYPE_CHANGE)) {
1699         qemu_input_queue_rel(con, INPUT_AXIS_X, x - 0x7FFF);
1700         qemu_input_queue_rel(con, INPUT_AXIS_Y, y - 0x7FFF);
1701     } else {
1702         if (vs->last_x != -1) {
1703             qemu_input_queue_rel(con, INPUT_AXIS_X, x - vs->last_x);
1704             qemu_input_queue_rel(con, INPUT_AXIS_Y, y - vs->last_y);
1705         }
1706         vs->last_x = x;
1707         vs->last_y = y;
1708     }
1709     qemu_input_event_sync();
1710 }
1711 
1712 static void reset_keys(VncState *vs)
1713 {
1714     int i;
1715     for(i = 0; i < 256; i++) {
1716         if (vs->modifiers_state[i]) {
1717             qemu_input_event_send_key_number(vs->vd->dcl.con, i, false);
1718             vs->modifiers_state[i] = 0;
1719         }
1720     }
1721 }
1722 
1723 static void press_key(VncState *vs, int keysym)
1724 {
1725     int keycode = keysym2scancode(vs->vd->kbd_layout, keysym) & SCANCODE_KEYMASK;
1726     qemu_input_event_send_key_number(vs->vd->dcl.con, keycode, true);
1727     qemu_input_event_send_key_delay(0);
1728     qemu_input_event_send_key_number(vs->vd->dcl.con, keycode, false);
1729     qemu_input_event_send_key_delay(0);
1730 }
1731 
1732 static int current_led_state(VncState *vs)
1733 {
1734     int ledstate = 0;
1735 
1736     if (vs->modifiers_state[0x46]) {
1737         ledstate |= QEMU_SCROLL_LOCK_LED;
1738     }
1739     if (vs->modifiers_state[0x45]) {
1740         ledstate |= QEMU_NUM_LOCK_LED;
1741     }
1742     if (vs->modifiers_state[0x3a]) {
1743         ledstate |= QEMU_CAPS_LOCK_LED;
1744     }
1745 
1746     return ledstate;
1747 }
1748 
1749 static void vnc_led_state_change(VncState *vs)
1750 {
1751     int ledstate = 0;
1752 
1753     if (!vnc_has_feature(vs, VNC_FEATURE_LED_STATE)) {
1754         return;
1755     }
1756 
1757     ledstate = current_led_state(vs);
1758     vnc_lock_output(vs);
1759     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1760     vnc_write_u8(vs, 0);
1761     vnc_write_u16(vs, 1);
1762     vnc_framebuffer_update(vs, 0, 0, 1, 1, VNC_ENCODING_LED_STATE);
1763     vnc_write_u8(vs, ledstate);
1764     vnc_unlock_output(vs);
1765     vnc_flush(vs);
1766 }
1767 
1768 static void kbd_leds(void *opaque, int ledstate)
1769 {
1770     VncState *vs = opaque;
1771     int caps, num, scr;
1772     bool has_changed = (ledstate != current_led_state(vs));
1773 
1774     trace_vnc_key_guest_leds((ledstate & QEMU_CAPS_LOCK_LED),
1775                              (ledstate & QEMU_NUM_LOCK_LED),
1776                              (ledstate & QEMU_SCROLL_LOCK_LED));
1777 
1778     caps = ledstate & QEMU_CAPS_LOCK_LED ? 1 : 0;
1779     num  = ledstate & QEMU_NUM_LOCK_LED  ? 1 : 0;
1780     scr  = ledstate & QEMU_SCROLL_LOCK_LED ? 1 : 0;
1781 
1782     if (vs->modifiers_state[0x3a] != caps) {
1783         vs->modifiers_state[0x3a] = caps;
1784     }
1785     if (vs->modifiers_state[0x45] != num) {
1786         vs->modifiers_state[0x45] = num;
1787     }
1788     if (vs->modifiers_state[0x46] != scr) {
1789         vs->modifiers_state[0x46] = scr;
1790     }
1791 
1792     /* Sending the current led state message to the client */
1793     if (has_changed) {
1794         vnc_led_state_change(vs);
1795     }
1796 }
1797 
1798 static void do_key_event(VncState *vs, int down, int keycode, int sym)
1799 {
1800     /* QEMU console switch */
1801     switch(keycode) {
1802     case 0x2a:                          /* Left Shift */
1803     case 0x36:                          /* Right Shift */
1804     case 0x1d:                          /* Left CTRL */
1805     case 0x9d:                          /* Right CTRL */
1806     case 0x38:                          /* Left ALT */
1807     case 0xb8:                          /* Right ALT */
1808         if (down)
1809             vs->modifiers_state[keycode] = 1;
1810         else
1811             vs->modifiers_state[keycode] = 0;
1812         break;
1813     case 0x02 ... 0x0a: /* '1' to '9' keys */
1814         if (vs->vd->dcl.con == NULL &&
1815             down && vs->modifiers_state[0x1d] && vs->modifiers_state[0x38]) {
1816             /* Reset the modifiers sent to the current console */
1817             reset_keys(vs);
1818             console_select(keycode - 0x02);
1819             return;
1820         }
1821         break;
1822     case 0x3a:                        /* CapsLock */
1823     case 0x45:                        /* NumLock */
1824         if (down)
1825             vs->modifiers_state[keycode] ^= 1;
1826         break;
1827     }
1828 
1829     /* Turn off the lock state sync logic if the client support the led
1830        state extension.
1831     */
1832     if (down && vs->vd->lock_key_sync &&
1833         !vnc_has_feature(vs, VNC_FEATURE_LED_STATE) &&
1834         keycode_is_keypad(vs->vd->kbd_layout, keycode)) {
1835         /* If the numlock state needs to change then simulate an additional
1836            keypress before sending this one.  This will happen if the user
1837            toggles numlock away from the VNC window.
1838         */
1839         if (keysym_is_numlock(vs->vd->kbd_layout, sym & 0xFFFF)) {
1840             if (!vs->modifiers_state[0x45]) {
1841                 trace_vnc_key_sync_numlock(true);
1842                 vs->modifiers_state[0x45] = 1;
1843                 press_key(vs, 0xff7f);
1844             }
1845         } else {
1846             if (vs->modifiers_state[0x45]) {
1847                 trace_vnc_key_sync_numlock(false);
1848                 vs->modifiers_state[0x45] = 0;
1849                 press_key(vs, 0xff7f);
1850             }
1851         }
1852     }
1853 
1854     if (down && vs->vd->lock_key_sync &&
1855         !vnc_has_feature(vs, VNC_FEATURE_LED_STATE) &&
1856         ((sym >= 'A' && sym <= 'Z') || (sym >= 'a' && sym <= 'z'))) {
1857         /* If the capslock state needs to change then simulate an additional
1858            keypress before sending this one.  This will happen if the user
1859            toggles capslock away from the VNC window.
1860         */
1861         int uppercase = !!(sym >= 'A' && sym <= 'Z');
1862         int shift = !!(vs->modifiers_state[0x2a] | vs->modifiers_state[0x36]);
1863         int capslock = !!(vs->modifiers_state[0x3a]);
1864         if (capslock) {
1865             if (uppercase == shift) {
1866                 trace_vnc_key_sync_capslock(false);
1867                 vs->modifiers_state[0x3a] = 0;
1868                 press_key(vs, 0xffe5);
1869             }
1870         } else {
1871             if (uppercase != shift) {
1872                 trace_vnc_key_sync_capslock(true);
1873                 vs->modifiers_state[0x3a] = 1;
1874                 press_key(vs, 0xffe5);
1875             }
1876         }
1877     }
1878 
1879     if (qemu_console_is_graphic(NULL)) {
1880         qemu_input_event_send_key_number(vs->vd->dcl.con, keycode, down);
1881     } else {
1882         bool numlock = vs->modifiers_state[0x45];
1883         bool control = (vs->modifiers_state[0x1d] ||
1884                         vs->modifiers_state[0x9d]);
1885         /* QEMU console emulation */
1886         if (down) {
1887             switch (keycode) {
1888             case 0x2a:                          /* Left Shift */
1889             case 0x36:                          /* Right Shift */
1890             case 0x1d:                          /* Left CTRL */
1891             case 0x9d:                          /* Right CTRL */
1892             case 0x38:                          /* Left ALT */
1893             case 0xb8:                          /* Right ALT */
1894                 break;
1895             case 0xc8:
1896                 kbd_put_keysym(QEMU_KEY_UP);
1897                 break;
1898             case 0xd0:
1899                 kbd_put_keysym(QEMU_KEY_DOWN);
1900                 break;
1901             case 0xcb:
1902                 kbd_put_keysym(QEMU_KEY_LEFT);
1903                 break;
1904             case 0xcd:
1905                 kbd_put_keysym(QEMU_KEY_RIGHT);
1906                 break;
1907             case 0xd3:
1908                 kbd_put_keysym(QEMU_KEY_DELETE);
1909                 break;
1910             case 0xc7:
1911                 kbd_put_keysym(QEMU_KEY_HOME);
1912                 break;
1913             case 0xcf:
1914                 kbd_put_keysym(QEMU_KEY_END);
1915                 break;
1916             case 0xc9:
1917                 kbd_put_keysym(QEMU_KEY_PAGEUP);
1918                 break;
1919             case 0xd1:
1920                 kbd_put_keysym(QEMU_KEY_PAGEDOWN);
1921                 break;
1922 
1923             case 0x47:
1924                 kbd_put_keysym(numlock ? '7' : QEMU_KEY_HOME);
1925                 break;
1926             case 0x48:
1927                 kbd_put_keysym(numlock ? '8' : QEMU_KEY_UP);
1928                 break;
1929             case 0x49:
1930                 kbd_put_keysym(numlock ? '9' : QEMU_KEY_PAGEUP);
1931                 break;
1932             case 0x4b:
1933                 kbd_put_keysym(numlock ? '4' : QEMU_KEY_LEFT);
1934                 break;
1935             case 0x4c:
1936                 kbd_put_keysym('5');
1937                 break;
1938             case 0x4d:
1939                 kbd_put_keysym(numlock ? '6' : QEMU_KEY_RIGHT);
1940                 break;
1941             case 0x4f:
1942                 kbd_put_keysym(numlock ? '1' : QEMU_KEY_END);
1943                 break;
1944             case 0x50:
1945                 kbd_put_keysym(numlock ? '2' : QEMU_KEY_DOWN);
1946                 break;
1947             case 0x51:
1948                 kbd_put_keysym(numlock ? '3' : QEMU_KEY_PAGEDOWN);
1949                 break;
1950             case 0x52:
1951                 kbd_put_keysym('0');
1952                 break;
1953             case 0x53:
1954                 kbd_put_keysym(numlock ? '.' : QEMU_KEY_DELETE);
1955                 break;
1956 
1957             case 0xb5:
1958                 kbd_put_keysym('/');
1959                 break;
1960             case 0x37:
1961                 kbd_put_keysym('*');
1962                 break;
1963             case 0x4a:
1964                 kbd_put_keysym('-');
1965                 break;
1966             case 0x4e:
1967                 kbd_put_keysym('+');
1968                 break;
1969             case 0x9c:
1970                 kbd_put_keysym('\n');
1971                 break;
1972 
1973             default:
1974                 if (control) {
1975                     kbd_put_keysym(sym & 0x1f);
1976                 } else {
1977                     kbd_put_keysym(sym);
1978                 }
1979                 break;
1980             }
1981         }
1982     }
1983 }
1984 
1985 static void vnc_release_modifiers(VncState *vs)
1986 {
1987     static const int keycodes[] = {
1988         /* shift, control, alt keys, both left & right */
1989         0x2a, 0x36, 0x1d, 0x9d, 0x38, 0xb8,
1990     };
1991     int i, keycode;
1992 
1993     if (!qemu_console_is_graphic(NULL)) {
1994         return;
1995     }
1996     for (i = 0; i < ARRAY_SIZE(keycodes); i++) {
1997         keycode = keycodes[i];
1998         if (!vs->modifiers_state[keycode]) {
1999             continue;
2000         }
2001         qemu_input_event_send_key_number(vs->vd->dcl.con, keycode, false);
2002     }
2003 }
2004 
2005 static const char *code2name(int keycode)
2006 {
2007     return QKeyCode_lookup[qemu_input_key_number_to_qcode(keycode)];
2008 }
2009 
2010 static void key_event(VncState *vs, int down, uint32_t sym)
2011 {
2012     int keycode;
2013     int lsym = sym;
2014 
2015     if (lsym >= 'A' && lsym <= 'Z' && qemu_console_is_graphic(NULL)) {
2016         lsym = lsym - 'A' + 'a';
2017     }
2018 
2019     keycode = keysym2scancode(vs->vd->kbd_layout, lsym & 0xFFFF) & SCANCODE_KEYMASK;
2020     trace_vnc_key_event_map(down, sym, keycode, code2name(keycode));
2021     do_key_event(vs, down, keycode, sym);
2022 }
2023 
2024 static void ext_key_event(VncState *vs, int down,
2025                           uint32_t sym, uint16_t keycode)
2026 {
2027     /* if the user specifies a keyboard layout, always use it */
2028     if (keyboard_layout) {
2029         key_event(vs, down, sym);
2030     } else {
2031         trace_vnc_key_event_ext(down, sym, keycode, code2name(keycode));
2032         do_key_event(vs, down, keycode, sym);
2033     }
2034 }
2035 
2036 static void framebuffer_update_request(VncState *vs, int incremental,
2037                                        int x, int y, int w, int h)
2038 {
2039     vs->need_update = 1;
2040 
2041     if (incremental) {
2042         return;
2043     }
2044 
2045     vs->force_update = 1;
2046     vnc_set_area_dirty(vs->dirty, vs->vd, x, y, w, h);
2047 }
2048 
2049 static void send_ext_key_event_ack(VncState *vs)
2050 {
2051     vnc_lock_output(vs);
2052     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
2053     vnc_write_u8(vs, 0);
2054     vnc_write_u16(vs, 1);
2055     vnc_framebuffer_update(vs, 0, 0,
2056                            pixman_image_get_width(vs->vd->server),
2057                            pixman_image_get_height(vs->vd->server),
2058                            VNC_ENCODING_EXT_KEY_EVENT);
2059     vnc_unlock_output(vs);
2060     vnc_flush(vs);
2061 }
2062 
2063 static void send_ext_audio_ack(VncState *vs)
2064 {
2065     vnc_lock_output(vs);
2066     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
2067     vnc_write_u8(vs, 0);
2068     vnc_write_u16(vs, 1);
2069     vnc_framebuffer_update(vs, 0, 0,
2070                            pixman_image_get_width(vs->vd->server),
2071                            pixman_image_get_height(vs->vd->server),
2072                            VNC_ENCODING_AUDIO);
2073     vnc_unlock_output(vs);
2074     vnc_flush(vs);
2075 }
2076 
2077 static void set_encodings(VncState *vs, int32_t *encodings, size_t n_encodings)
2078 {
2079     int i;
2080     unsigned int enc = 0;
2081 
2082     vs->features = 0;
2083     vs->vnc_encoding = 0;
2084     vs->tight.compression = 9;
2085     vs->tight.quality = -1; /* Lossless by default */
2086     vs->absolute = -1;
2087 
2088     /*
2089      * Start from the end because the encodings are sent in order of preference.
2090      * This way the preferred encoding (first encoding defined in the array)
2091      * will be set at the end of the loop.
2092      */
2093     for (i = n_encodings - 1; i >= 0; i--) {
2094         enc = encodings[i];
2095         switch (enc) {
2096         case VNC_ENCODING_RAW:
2097             vs->vnc_encoding = enc;
2098             break;
2099         case VNC_ENCODING_COPYRECT:
2100             vs->features |= VNC_FEATURE_COPYRECT_MASK;
2101             break;
2102         case VNC_ENCODING_HEXTILE:
2103             vs->features |= VNC_FEATURE_HEXTILE_MASK;
2104             vs->vnc_encoding = enc;
2105             break;
2106         case VNC_ENCODING_TIGHT:
2107             vs->features |= VNC_FEATURE_TIGHT_MASK;
2108             vs->vnc_encoding = enc;
2109             break;
2110 #ifdef CONFIG_VNC_PNG
2111         case VNC_ENCODING_TIGHT_PNG:
2112             vs->features |= VNC_FEATURE_TIGHT_PNG_MASK;
2113             vs->vnc_encoding = enc;
2114             break;
2115 #endif
2116         case VNC_ENCODING_ZLIB:
2117             vs->features |= VNC_FEATURE_ZLIB_MASK;
2118             vs->vnc_encoding = enc;
2119             break;
2120         case VNC_ENCODING_ZRLE:
2121             vs->features |= VNC_FEATURE_ZRLE_MASK;
2122             vs->vnc_encoding = enc;
2123             break;
2124         case VNC_ENCODING_ZYWRLE:
2125             vs->features |= VNC_FEATURE_ZYWRLE_MASK;
2126             vs->vnc_encoding = enc;
2127             break;
2128         case VNC_ENCODING_DESKTOPRESIZE:
2129             vs->features |= VNC_FEATURE_RESIZE_MASK;
2130             break;
2131         case VNC_ENCODING_POINTER_TYPE_CHANGE:
2132             vs->features |= VNC_FEATURE_POINTER_TYPE_CHANGE_MASK;
2133             break;
2134         case VNC_ENCODING_RICH_CURSOR:
2135             vs->features |= VNC_FEATURE_RICH_CURSOR_MASK;
2136             break;
2137         case VNC_ENCODING_EXT_KEY_EVENT:
2138             send_ext_key_event_ack(vs);
2139             break;
2140         case VNC_ENCODING_AUDIO:
2141             send_ext_audio_ack(vs);
2142             break;
2143         case VNC_ENCODING_WMVi:
2144             vs->features |= VNC_FEATURE_WMVI_MASK;
2145             break;
2146         case VNC_ENCODING_LED_STATE:
2147             vs->features |= VNC_FEATURE_LED_STATE_MASK;
2148             break;
2149         case VNC_ENCODING_COMPRESSLEVEL0 ... VNC_ENCODING_COMPRESSLEVEL0 + 9:
2150             vs->tight.compression = (enc & 0x0F);
2151             break;
2152         case VNC_ENCODING_QUALITYLEVEL0 ... VNC_ENCODING_QUALITYLEVEL0 + 9:
2153             if (vs->vd->lossy) {
2154                 vs->tight.quality = (enc & 0x0F);
2155             }
2156             break;
2157         default:
2158             VNC_DEBUG("Unknown encoding: %d (0x%.8x): %d\n", i, enc, enc);
2159             break;
2160         }
2161     }
2162     vnc_desktop_resize(vs);
2163     check_pointer_type_change(&vs->mouse_mode_notifier, NULL);
2164     vnc_led_state_change(vs);
2165 }
2166 
2167 static void set_pixel_conversion(VncState *vs)
2168 {
2169     pixman_format_code_t fmt = qemu_pixman_get_format(&vs->client_pf);
2170 
2171     if (fmt == VNC_SERVER_FB_FORMAT) {
2172         vs->write_pixels = vnc_write_pixels_copy;
2173         vnc_hextile_set_pixel_conversion(vs, 0);
2174     } else {
2175         vs->write_pixels = vnc_write_pixels_generic;
2176         vnc_hextile_set_pixel_conversion(vs, 1);
2177     }
2178 }
2179 
2180 static void set_pixel_format(VncState *vs,
2181                              int bits_per_pixel, int depth,
2182                              int big_endian_flag, int true_color_flag,
2183                              int red_max, int green_max, int blue_max,
2184                              int red_shift, int green_shift, int blue_shift)
2185 {
2186     if (!true_color_flag) {
2187         vnc_client_error(vs);
2188         return;
2189     }
2190 
2191     switch (bits_per_pixel) {
2192     case 8:
2193     case 16:
2194     case 32:
2195         break;
2196     default:
2197         vnc_client_error(vs);
2198         return;
2199     }
2200 
2201     vs->client_pf.rmax = red_max ? red_max : 0xFF;
2202     vs->client_pf.rbits = hweight_long(red_max);
2203     vs->client_pf.rshift = red_shift;
2204     vs->client_pf.rmask = red_max << red_shift;
2205     vs->client_pf.gmax = green_max ? green_max : 0xFF;
2206     vs->client_pf.gbits = hweight_long(green_max);
2207     vs->client_pf.gshift = green_shift;
2208     vs->client_pf.gmask = green_max << green_shift;
2209     vs->client_pf.bmax = blue_max ? blue_max : 0xFF;
2210     vs->client_pf.bbits = hweight_long(blue_max);
2211     vs->client_pf.bshift = blue_shift;
2212     vs->client_pf.bmask = blue_max << blue_shift;
2213     vs->client_pf.bits_per_pixel = bits_per_pixel;
2214     vs->client_pf.bytes_per_pixel = bits_per_pixel / 8;
2215     vs->client_pf.depth = bits_per_pixel == 32 ? 24 : bits_per_pixel;
2216     vs->client_be = big_endian_flag;
2217 
2218     set_pixel_conversion(vs);
2219 
2220     graphic_hw_invalidate(vs->vd->dcl.con);
2221     graphic_hw_update(vs->vd->dcl.con);
2222 }
2223 
2224 static void pixel_format_message (VncState *vs) {
2225     char pad[3] = { 0, 0, 0 };
2226 
2227     vs->client_pf = qemu_default_pixelformat(32);
2228 
2229     vnc_write_u8(vs, vs->client_pf.bits_per_pixel); /* bits-per-pixel */
2230     vnc_write_u8(vs, vs->client_pf.depth); /* depth */
2231 
2232 #ifdef HOST_WORDS_BIGENDIAN
2233     vnc_write_u8(vs, 1);             /* big-endian-flag */
2234 #else
2235     vnc_write_u8(vs, 0);             /* big-endian-flag */
2236 #endif
2237     vnc_write_u8(vs, 1);             /* true-color-flag */
2238     vnc_write_u16(vs, vs->client_pf.rmax);     /* red-max */
2239     vnc_write_u16(vs, vs->client_pf.gmax);     /* green-max */
2240     vnc_write_u16(vs, vs->client_pf.bmax);     /* blue-max */
2241     vnc_write_u8(vs, vs->client_pf.rshift);    /* red-shift */
2242     vnc_write_u8(vs, vs->client_pf.gshift);    /* green-shift */
2243     vnc_write_u8(vs, vs->client_pf.bshift);    /* blue-shift */
2244     vnc_write(vs, pad, 3);           /* padding */
2245 
2246     vnc_hextile_set_pixel_conversion(vs, 0);
2247     vs->write_pixels = vnc_write_pixels_copy;
2248 }
2249 
2250 static void vnc_colordepth(VncState *vs)
2251 {
2252     if (vnc_has_feature(vs, VNC_FEATURE_WMVI)) {
2253         /* Sending a WMVi message to notify the client*/
2254         vnc_lock_output(vs);
2255         vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
2256         vnc_write_u8(vs, 0);
2257         vnc_write_u16(vs, 1); /* number of rects */
2258         vnc_framebuffer_update(vs, 0, 0,
2259                                pixman_image_get_width(vs->vd->server),
2260                                pixman_image_get_height(vs->vd->server),
2261                                VNC_ENCODING_WMVi);
2262         pixel_format_message(vs);
2263         vnc_unlock_output(vs);
2264         vnc_flush(vs);
2265     } else {
2266         set_pixel_conversion(vs);
2267     }
2268 }
2269 
2270 static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len)
2271 {
2272     int i;
2273     uint16_t limit;
2274     VncDisplay *vd = vs->vd;
2275 
2276     if (data[0] > 3) {
2277         update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
2278     }
2279 
2280     switch (data[0]) {
2281     case VNC_MSG_CLIENT_SET_PIXEL_FORMAT:
2282         if (len == 1)
2283             return 20;
2284 
2285         set_pixel_format(vs, read_u8(data, 4), read_u8(data, 5),
2286                          read_u8(data, 6), read_u8(data, 7),
2287                          read_u16(data, 8), read_u16(data, 10),
2288                          read_u16(data, 12), read_u8(data, 14),
2289                          read_u8(data, 15), read_u8(data, 16));
2290         break;
2291     case VNC_MSG_CLIENT_SET_ENCODINGS:
2292         if (len == 1)
2293             return 4;
2294 
2295         if (len == 4) {
2296             limit = read_u16(data, 2);
2297             if (limit > 0)
2298                 return 4 + (limit * 4);
2299         } else
2300             limit = read_u16(data, 2);
2301 
2302         for (i = 0; i < limit; i++) {
2303             int32_t val = read_s32(data, 4 + (i * 4));
2304             memcpy(data + 4 + (i * 4), &val, sizeof(val));
2305         }
2306 
2307         set_encodings(vs, (int32_t *)(data + 4), limit);
2308         break;
2309     case VNC_MSG_CLIENT_FRAMEBUFFER_UPDATE_REQUEST:
2310         if (len == 1)
2311             return 10;
2312 
2313         framebuffer_update_request(vs,
2314                                    read_u8(data, 1), read_u16(data, 2), read_u16(data, 4),
2315                                    read_u16(data, 6), read_u16(data, 8));
2316         break;
2317     case VNC_MSG_CLIENT_KEY_EVENT:
2318         if (len == 1)
2319             return 8;
2320 
2321         key_event(vs, read_u8(data, 1), read_u32(data, 4));
2322         break;
2323     case VNC_MSG_CLIENT_POINTER_EVENT:
2324         if (len == 1)
2325             return 6;
2326 
2327         pointer_event(vs, read_u8(data, 1), read_u16(data, 2), read_u16(data, 4));
2328         break;
2329     case VNC_MSG_CLIENT_CUT_TEXT:
2330         if (len == 1) {
2331             return 8;
2332         }
2333         if (len == 8) {
2334             uint32_t dlen = read_u32(data, 4);
2335             if (dlen > (1 << 20)) {
2336                 error_report("vnc: client_cut_text msg payload has %u bytes"
2337                              " which exceeds our limit of 1MB.", dlen);
2338                 vnc_client_error(vs);
2339                 break;
2340             }
2341             if (dlen > 0) {
2342                 return 8 + dlen;
2343             }
2344         }
2345 
2346         client_cut_text(vs, read_u32(data, 4), data + 8);
2347         break;
2348     case VNC_MSG_CLIENT_QEMU:
2349         if (len == 1)
2350             return 2;
2351 
2352         switch (read_u8(data, 1)) {
2353         case VNC_MSG_CLIENT_QEMU_EXT_KEY_EVENT:
2354             if (len == 2)
2355                 return 12;
2356 
2357             ext_key_event(vs, read_u16(data, 2),
2358                           read_u32(data, 4), read_u32(data, 8));
2359             break;
2360         case VNC_MSG_CLIENT_QEMU_AUDIO:
2361             if (len == 2)
2362                 return 4;
2363 
2364             switch (read_u16 (data, 2)) {
2365             case VNC_MSG_CLIENT_QEMU_AUDIO_ENABLE:
2366                 audio_add(vs);
2367                 break;
2368             case VNC_MSG_CLIENT_QEMU_AUDIO_DISABLE:
2369                 audio_del(vs);
2370                 break;
2371             case VNC_MSG_CLIENT_QEMU_AUDIO_SET_FORMAT:
2372                 if (len == 4)
2373                     return 10;
2374                 switch (read_u8(data, 4)) {
2375                 case 0: vs->as.fmt = AUD_FMT_U8; break;
2376                 case 1: vs->as.fmt = AUD_FMT_S8; break;
2377                 case 2: vs->as.fmt = AUD_FMT_U16; break;
2378                 case 3: vs->as.fmt = AUD_FMT_S16; break;
2379                 case 4: vs->as.fmt = AUD_FMT_U32; break;
2380                 case 5: vs->as.fmt = AUD_FMT_S32; break;
2381                 default:
2382                     VNC_DEBUG("Invalid audio format %d\n", read_u8(data, 4));
2383                     vnc_client_error(vs);
2384                     break;
2385                 }
2386                 vs->as.nchannels = read_u8(data, 5);
2387                 if (vs->as.nchannels != 1 && vs->as.nchannels != 2) {
2388                     VNC_DEBUG("Invalid audio channel coount %d\n",
2389                               read_u8(data, 5));
2390                     vnc_client_error(vs);
2391                     break;
2392                 }
2393                 vs->as.freq = read_u32(data, 6);
2394                 break;
2395             default:
2396                 VNC_DEBUG("Invalid audio message %d\n", read_u8(data, 4));
2397                 vnc_client_error(vs);
2398                 break;
2399             }
2400             break;
2401 
2402         default:
2403             VNC_DEBUG("Msg: %d\n", read_u16(data, 0));
2404             vnc_client_error(vs);
2405             break;
2406         }
2407         break;
2408     default:
2409         VNC_DEBUG("Msg: %d\n", data[0]);
2410         vnc_client_error(vs);
2411         break;
2412     }
2413 
2414     vnc_read_when(vs, protocol_client_msg, 1);
2415     return 0;
2416 }
2417 
2418 static int protocol_client_init(VncState *vs, uint8_t *data, size_t len)
2419 {
2420     char buf[1024];
2421     VncShareMode mode;
2422     int size;
2423 
2424     mode = data[0] ? VNC_SHARE_MODE_SHARED : VNC_SHARE_MODE_EXCLUSIVE;
2425     switch (vs->vd->share_policy) {
2426     case VNC_SHARE_POLICY_IGNORE:
2427         /*
2428          * Ignore the shared flag.  Nothing to do here.
2429          *
2430          * Doesn't conform to the rfb spec but is traditional qemu
2431          * behavior, thus left here as option for compatibility
2432          * reasons.
2433          */
2434         break;
2435     case VNC_SHARE_POLICY_ALLOW_EXCLUSIVE:
2436         /*
2437          * Policy: Allow clients ask for exclusive access.
2438          *
2439          * Implementation: When a client asks for exclusive access,
2440          * disconnect all others. Shared connects are allowed as long
2441          * as no exclusive connection exists.
2442          *
2443          * This is how the rfb spec suggests to handle the shared flag.
2444          */
2445         if (mode == VNC_SHARE_MODE_EXCLUSIVE) {
2446             VncState *client;
2447             QTAILQ_FOREACH(client, &vs->vd->clients, next) {
2448                 if (vs == client) {
2449                     continue;
2450                 }
2451                 if (client->share_mode != VNC_SHARE_MODE_EXCLUSIVE &&
2452                     client->share_mode != VNC_SHARE_MODE_SHARED) {
2453                     continue;
2454                 }
2455                 vnc_disconnect_start(client);
2456             }
2457         }
2458         if (mode == VNC_SHARE_MODE_SHARED) {
2459             if (vs->vd->num_exclusive > 0) {
2460                 vnc_disconnect_start(vs);
2461                 return 0;
2462             }
2463         }
2464         break;
2465     case VNC_SHARE_POLICY_FORCE_SHARED:
2466         /*
2467          * Policy: Shared connects only.
2468          * Implementation: Disallow clients asking for exclusive access.
2469          *
2470          * Useful for shared desktop sessions where you don't want
2471          * someone forgetting to say -shared when running the vnc
2472          * client disconnect everybody else.
2473          */
2474         if (mode == VNC_SHARE_MODE_EXCLUSIVE) {
2475             vnc_disconnect_start(vs);
2476             return 0;
2477         }
2478         break;
2479     }
2480     vnc_set_share_mode(vs, mode);
2481 
2482     if (vs->vd->num_shared > vs->vd->connections_limit) {
2483         vnc_disconnect_start(vs);
2484         return 0;
2485     }
2486 
2487     vs->client_width = pixman_image_get_width(vs->vd->server);
2488     vs->client_height = pixman_image_get_height(vs->vd->server);
2489     vnc_write_u16(vs, vs->client_width);
2490     vnc_write_u16(vs, vs->client_height);
2491 
2492     pixel_format_message(vs);
2493 
2494     if (qemu_name)
2495         size = snprintf(buf, sizeof(buf), "QEMU (%s)", qemu_name);
2496     else
2497         size = snprintf(buf, sizeof(buf), "QEMU");
2498 
2499     vnc_write_u32(vs, size);
2500     vnc_write(vs, buf, size);
2501     vnc_flush(vs);
2502 
2503     vnc_client_cache_auth(vs);
2504     vnc_qmp_event(vs, QAPI_EVENT_VNC_INITIALIZED);
2505 
2506     vnc_read_when(vs, protocol_client_msg, 1);
2507 
2508     return 0;
2509 }
2510 
2511 void start_client_init(VncState *vs)
2512 {
2513     vnc_read_when(vs, protocol_client_init, 1);
2514 }
2515 
2516 static void make_challenge(VncState *vs)
2517 {
2518     int i;
2519 
2520     srand(time(NULL)+getpid()+getpid()*987654+rand());
2521 
2522     for (i = 0 ; i < sizeof(vs->challenge) ; i++)
2523         vs->challenge[i] = (int) (256.0*rand()/(RAND_MAX+1.0));
2524 }
2525 
2526 static int protocol_client_auth_vnc(VncState *vs, uint8_t *data, size_t len)
2527 {
2528     unsigned char response[VNC_AUTH_CHALLENGE_SIZE];
2529     size_t i, pwlen;
2530     unsigned char key[8];
2531     time_t now = time(NULL);
2532     QCryptoCipher *cipher = NULL;
2533     Error *err = NULL;
2534 
2535     if (!vs->vd->password) {
2536         VNC_DEBUG("No password configured on server");
2537         goto reject;
2538     }
2539     if (vs->vd->expires < now) {
2540         VNC_DEBUG("Password is expired");
2541         goto reject;
2542     }
2543 
2544     memcpy(response, vs->challenge, VNC_AUTH_CHALLENGE_SIZE);
2545 
2546     /* Calculate the expected challenge response */
2547     pwlen = strlen(vs->vd->password);
2548     for (i=0; i<sizeof(key); i++)
2549         key[i] = i<pwlen ? vs->vd->password[i] : 0;
2550 
2551     cipher = qcrypto_cipher_new(
2552         QCRYPTO_CIPHER_ALG_DES_RFB,
2553         QCRYPTO_CIPHER_MODE_ECB,
2554         key, G_N_ELEMENTS(key),
2555         &err);
2556     if (!cipher) {
2557         VNC_DEBUG("Cannot initialize cipher %s",
2558                   error_get_pretty(err));
2559         error_free(err);
2560         goto reject;
2561     }
2562 
2563     if (qcrypto_cipher_encrypt(cipher,
2564                                vs->challenge,
2565                                response,
2566                                VNC_AUTH_CHALLENGE_SIZE,
2567                                &err) < 0) {
2568         VNC_DEBUG("Cannot encrypt challenge %s",
2569                   error_get_pretty(err));
2570         error_free(err);
2571         goto reject;
2572     }
2573 
2574     /* Compare expected vs actual challenge response */
2575     if (memcmp(response, data, VNC_AUTH_CHALLENGE_SIZE) != 0) {
2576         VNC_DEBUG("Client challenge response did not match\n");
2577         goto reject;
2578     } else {
2579         VNC_DEBUG("Accepting VNC challenge response\n");
2580         vnc_write_u32(vs, 0); /* Accept auth */
2581         vnc_flush(vs);
2582 
2583         start_client_init(vs);
2584     }
2585 
2586     qcrypto_cipher_free(cipher);
2587     return 0;
2588 
2589 reject:
2590     vnc_write_u32(vs, 1); /* Reject auth */
2591     if (vs->minor >= 8) {
2592         static const char err[] = "Authentication failed";
2593         vnc_write_u32(vs, sizeof(err));
2594         vnc_write(vs, err, sizeof(err));
2595     }
2596     vnc_flush(vs);
2597     vnc_client_error(vs);
2598     qcrypto_cipher_free(cipher);
2599     return 0;
2600 }
2601 
2602 void start_auth_vnc(VncState *vs)
2603 {
2604     make_challenge(vs);
2605     /* Send client a 'random' challenge */
2606     vnc_write(vs, vs->challenge, sizeof(vs->challenge));
2607     vnc_flush(vs);
2608 
2609     vnc_read_when(vs, protocol_client_auth_vnc, sizeof(vs->challenge));
2610 }
2611 
2612 
2613 static int protocol_client_auth(VncState *vs, uint8_t *data, size_t len)
2614 {
2615     /* We only advertise 1 auth scheme at a time, so client
2616      * must pick the one we sent. Verify this */
2617     if (data[0] != vs->auth) { /* Reject auth */
2618        VNC_DEBUG("Reject auth %d because it didn't match advertized\n", (int)data[0]);
2619        vnc_write_u32(vs, 1);
2620        if (vs->minor >= 8) {
2621            static const char err[] = "Authentication failed";
2622            vnc_write_u32(vs, sizeof(err));
2623            vnc_write(vs, err, sizeof(err));
2624        }
2625        vnc_client_error(vs);
2626     } else { /* Accept requested auth */
2627        VNC_DEBUG("Client requested auth %d\n", (int)data[0]);
2628        switch (vs->auth) {
2629        case VNC_AUTH_NONE:
2630            VNC_DEBUG("Accept auth none\n");
2631            if (vs->minor >= 8) {
2632                vnc_write_u32(vs, 0); /* Accept auth completion */
2633                vnc_flush(vs);
2634            }
2635            start_client_init(vs);
2636            break;
2637 
2638        case VNC_AUTH_VNC:
2639            VNC_DEBUG("Start VNC auth\n");
2640            start_auth_vnc(vs);
2641            break;
2642 
2643        case VNC_AUTH_VENCRYPT:
2644            VNC_DEBUG("Accept VeNCrypt auth\n");
2645            start_auth_vencrypt(vs);
2646            break;
2647 
2648 #ifdef CONFIG_VNC_SASL
2649        case VNC_AUTH_SASL:
2650            VNC_DEBUG("Accept SASL auth\n");
2651            start_auth_sasl(vs);
2652            break;
2653 #endif /* CONFIG_VNC_SASL */
2654 
2655        default: /* Should not be possible, but just in case */
2656            VNC_DEBUG("Reject auth %d server code bug\n", vs->auth);
2657            vnc_write_u8(vs, 1);
2658            if (vs->minor >= 8) {
2659                static const char err[] = "Authentication failed";
2660                vnc_write_u32(vs, sizeof(err));
2661                vnc_write(vs, err, sizeof(err));
2662            }
2663            vnc_client_error(vs);
2664        }
2665     }
2666     return 0;
2667 }
2668 
2669 static int protocol_version(VncState *vs, uint8_t *version, size_t len)
2670 {
2671     char local[13];
2672 
2673     memcpy(local, version, 12);
2674     local[12] = 0;
2675 
2676     if (sscanf(local, "RFB %03d.%03d\n", &vs->major, &vs->minor) != 2) {
2677         VNC_DEBUG("Malformed protocol version %s\n", local);
2678         vnc_client_error(vs);
2679         return 0;
2680     }
2681     VNC_DEBUG("Client request protocol version %d.%d\n", vs->major, vs->minor);
2682     if (vs->major != 3 ||
2683         (vs->minor != 3 &&
2684          vs->minor != 4 &&
2685          vs->minor != 5 &&
2686          vs->minor != 7 &&
2687          vs->minor != 8)) {
2688         VNC_DEBUG("Unsupported client version\n");
2689         vnc_write_u32(vs, VNC_AUTH_INVALID);
2690         vnc_flush(vs);
2691         vnc_client_error(vs);
2692         return 0;
2693     }
2694     /* Some broken clients report v3.4 or v3.5, which spec requires to be treated
2695      * as equivalent to v3.3 by servers
2696      */
2697     if (vs->minor == 4 || vs->minor == 5)
2698         vs->minor = 3;
2699 
2700     if (vs->minor == 3) {
2701         if (vs->auth == VNC_AUTH_NONE) {
2702             VNC_DEBUG("Tell client auth none\n");
2703             vnc_write_u32(vs, vs->auth);
2704             vnc_flush(vs);
2705             start_client_init(vs);
2706        } else if (vs->auth == VNC_AUTH_VNC) {
2707             VNC_DEBUG("Tell client VNC auth\n");
2708             vnc_write_u32(vs, vs->auth);
2709             vnc_flush(vs);
2710             start_auth_vnc(vs);
2711        } else {
2712             VNC_DEBUG("Unsupported auth %d for protocol 3.3\n", vs->auth);
2713             vnc_write_u32(vs, VNC_AUTH_INVALID);
2714             vnc_flush(vs);
2715             vnc_client_error(vs);
2716        }
2717     } else {
2718         VNC_DEBUG("Telling client we support auth %d\n", vs->auth);
2719         vnc_write_u8(vs, 1); /* num auth */
2720         vnc_write_u8(vs, vs->auth);
2721         vnc_read_when(vs, protocol_client_auth, 1);
2722         vnc_flush(vs);
2723     }
2724 
2725     return 0;
2726 }
2727 
2728 static VncRectStat *vnc_stat_rect(VncDisplay *vd, int x, int y)
2729 {
2730     struct VncSurface *vs = &vd->guest;
2731 
2732     return &vs->stats[y / VNC_STAT_RECT][x / VNC_STAT_RECT];
2733 }
2734 
2735 void vnc_sent_lossy_rect(VncState *vs, int x, int y, int w, int h)
2736 {
2737     int i, j;
2738 
2739     w = (x + w) / VNC_STAT_RECT;
2740     h = (y + h) / VNC_STAT_RECT;
2741     x /= VNC_STAT_RECT;
2742     y /= VNC_STAT_RECT;
2743 
2744     for (j = y; j <= h; j++) {
2745         for (i = x; i <= w; i++) {
2746             vs->lossy_rect[j][i] = 1;
2747         }
2748     }
2749 }
2750 
2751 static int vnc_refresh_lossy_rect(VncDisplay *vd, int x, int y)
2752 {
2753     VncState *vs;
2754     int sty = y / VNC_STAT_RECT;
2755     int stx = x / VNC_STAT_RECT;
2756     int has_dirty = 0;
2757 
2758     y = y / VNC_STAT_RECT * VNC_STAT_RECT;
2759     x = x / VNC_STAT_RECT * VNC_STAT_RECT;
2760 
2761     QTAILQ_FOREACH(vs, &vd->clients, next) {
2762         int j;
2763 
2764         /* kernel send buffers are full -> refresh later */
2765         if (vs->output.offset) {
2766             continue;
2767         }
2768 
2769         if (!vs->lossy_rect[sty][stx]) {
2770             continue;
2771         }
2772 
2773         vs->lossy_rect[sty][stx] = 0;
2774         for (j = 0; j < VNC_STAT_RECT; ++j) {
2775             bitmap_set(vs->dirty[y + j],
2776                        x / VNC_DIRTY_PIXELS_PER_BIT,
2777                        VNC_STAT_RECT / VNC_DIRTY_PIXELS_PER_BIT);
2778         }
2779         has_dirty++;
2780     }
2781 
2782     return has_dirty;
2783 }
2784 
2785 static int vnc_update_stats(VncDisplay *vd,  struct timeval * tv)
2786 {
2787     int width = pixman_image_get_width(vd->guest.fb);
2788     int height = pixman_image_get_height(vd->guest.fb);
2789     int x, y;
2790     struct timeval res;
2791     int has_dirty = 0;
2792 
2793     for (y = 0; y < height; y += VNC_STAT_RECT) {
2794         for (x = 0; x < width; x += VNC_STAT_RECT) {
2795             VncRectStat *rect = vnc_stat_rect(vd, x, y);
2796 
2797             rect->updated = false;
2798         }
2799     }
2800 
2801     qemu_timersub(tv, &VNC_REFRESH_STATS, &res);
2802 
2803     if (timercmp(&vd->guest.last_freq_check, &res, >)) {
2804         return has_dirty;
2805     }
2806     vd->guest.last_freq_check = *tv;
2807 
2808     for (y = 0; y < height; y += VNC_STAT_RECT) {
2809         for (x = 0; x < width; x += VNC_STAT_RECT) {
2810             VncRectStat *rect= vnc_stat_rect(vd, x, y);
2811             int count = ARRAY_SIZE(rect->times);
2812             struct timeval min, max;
2813 
2814             if (!timerisset(&rect->times[count - 1])) {
2815                 continue ;
2816             }
2817 
2818             max = rect->times[(rect->idx + count - 1) % count];
2819             qemu_timersub(tv, &max, &res);
2820 
2821             if (timercmp(&res, &VNC_REFRESH_LOSSY, >)) {
2822                 rect->freq = 0;
2823                 has_dirty += vnc_refresh_lossy_rect(vd, x, y);
2824                 memset(rect->times, 0, sizeof (rect->times));
2825                 continue ;
2826             }
2827 
2828             min = rect->times[rect->idx];
2829             max = rect->times[(rect->idx + count - 1) % count];
2830             qemu_timersub(&max, &min, &res);
2831 
2832             rect->freq = res.tv_sec + res.tv_usec / 1000000.;
2833             rect->freq /= count;
2834             rect->freq = 1. / rect->freq;
2835         }
2836     }
2837     return has_dirty;
2838 }
2839 
2840 double vnc_update_freq(VncState *vs, int x, int y, int w, int h)
2841 {
2842     int i, j;
2843     double total = 0;
2844     int num = 0;
2845 
2846     x =  (x / VNC_STAT_RECT) * VNC_STAT_RECT;
2847     y =  (y / VNC_STAT_RECT) * VNC_STAT_RECT;
2848 
2849     for (j = y; j <= y + h; j += VNC_STAT_RECT) {
2850         for (i = x; i <= x + w; i += VNC_STAT_RECT) {
2851             total += vnc_stat_rect(vs->vd, i, j)->freq;
2852             num++;
2853         }
2854     }
2855 
2856     if (num) {
2857         return total / num;
2858     } else {
2859         return 0;
2860     }
2861 }
2862 
2863 static void vnc_rect_updated(VncDisplay *vd, int x, int y, struct timeval * tv)
2864 {
2865     VncRectStat *rect;
2866 
2867     rect = vnc_stat_rect(vd, x, y);
2868     if (rect->updated) {
2869         return ;
2870     }
2871     rect->times[rect->idx] = *tv;
2872     rect->idx = (rect->idx + 1) % ARRAY_SIZE(rect->times);
2873     rect->updated = true;
2874 }
2875 
2876 static int vnc_refresh_server_surface(VncDisplay *vd)
2877 {
2878     int width = MIN(pixman_image_get_width(vd->guest.fb),
2879                     pixman_image_get_width(vd->server));
2880     int height = MIN(pixman_image_get_height(vd->guest.fb),
2881                      pixman_image_get_height(vd->server));
2882     int cmp_bytes, server_stride, line_bytes, guest_ll, guest_stride, y = 0;
2883     uint8_t *guest_row0 = NULL, *server_row0;
2884     VncState *vs;
2885     int has_dirty = 0;
2886     pixman_image_t *tmpbuf = NULL;
2887 
2888     struct timeval tv = { 0, 0 };
2889 
2890     if (!vd->non_adaptive) {
2891         gettimeofday(&tv, NULL);
2892         has_dirty = vnc_update_stats(vd, &tv);
2893     }
2894 
2895     /*
2896      * Walk through the guest dirty map.
2897      * Check and copy modified bits from guest to server surface.
2898      * Update server dirty map.
2899      */
2900     server_row0 = (uint8_t *)pixman_image_get_data(vd->server);
2901     server_stride = guest_stride = guest_ll =
2902         pixman_image_get_stride(vd->server);
2903     cmp_bytes = MIN(VNC_DIRTY_PIXELS_PER_BIT * VNC_SERVER_FB_BYTES,
2904                     server_stride);
2905     if (vd->guest.format != VNC_SERVER_FB_FORMAT) {
2906         int width = pixman_image_get_width(vd->server);
2907         tmpbuf = qemu_pixman_linebuf_create(VNC_SERVER_FB_FORMAT, width);
2908     } else {
2909         int guest_bpp =
2910             PIXMAN_FORMAT_BPP(pixman_image_get_format(vd->guest.fb));
2911         guest_row0 = (uint8_t *)pixman_image_get_data(vd->guest.fb);
2912         guest_stride = pixman_image_get_stride(vd->guest.fb);
2913         guest_ll = pixman_image_get_width(vd->guest.fb) * ((guest_bpp + 7) / 8);
2914     }
2915     line_bytes = MIN(server_stride, guest_ll);
2916 
2917     for (;;) {
2918         int x;
2919         uint8_t *guest_ptr, *server_ptr;
2920         unsigned long offset = find_next_bit((unsigned long *) &vd->guest.dirty,
2921                                              height * VNC_DIRTY_BPL(&vd->guest),
2922                                              y * VNC_DIRTY_BPL(&vd->guest));
2923         if (offset == height * VNC_DIRTY_BPL(&vd->guest)) {
2924             /* no more dirty bits */
2925             break;
2926         }
2927         y = offset / VNC_DIRTY_BPL(&vd->guest);
2928         x = offset % VNC_DIRTY_BPL(&vd->guest);
2929 
2930         server_ptr = server_row0 + y * server_stride + x * cmp_bytes;
2931 
2932         if (vd->guest.format != VNC_SERVER_FB_FORMAT) {
2933             qemu_pixman_linebuf_fill(tmpbuf, vd->guest.fb, width, 0, y);
2934             guest_ptr = (uint8_t *)pixman_image_get_data(tmpbuf);
2935         } else {
2936             guest_ptr = guest_row0 + y * guest_stride;
2937         }
2938         guest_ptr += x * cmp_bytes;
2939 
2940         for (; x < DIV_ROUND_UP(width, VNC_DIRTY_PIXELS_PER_BIT);
2941              x++, guest_ptr += cmp_bytes, server_ptr += cmp_bytes) {
2942             int _cmp_bytes = cmp_bytes;
2943             if (!test_and_clear_bit(x, vd->guest.dirty[y])) {
2944                 continue;
2945             }
2946             if ((x + 1) * cmp_bytes > line_bytes) {
2947                 _cmp_bytes = line_bytes - x * cmp_bytes;
2948             }
2949             assert(_cmp_bytes >= 0);
2950             if (memcmp(server_ptr, guest_ptr, _cmp_bytes) == 0) {
2951                 continue;
2952             }
2953             memcpy(server_ptr, guest_ptr, _cmp_bytes);
2954             if (!vd->non_adaptive) {
2955                 vnc_rect_updated(vd, x * VNC_DIRTY_PIXELS_PER_BIT,
2956                                  y, &tv);
2957             }
2958             QTAILQ_FOREACH(vs, &vd->clients, next) {
2959                 set_bit(x, vs->dirty[y]);
2960             }
2961             has_dirty++;
2962         }
2963 
2964         y++;
2965     }
2966     qemu_pixman_image_unref(tmpbuf);
2967     return has_dirty;
2968 }
2969 
2970 static void vnc_refresh(DisplayChangeListener *dcl)
2971 {
2972     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
2973     VncState *vs, *vn;
2974     int has_dirty, rects = 0;
2975 
2976     if (QTAILQ_EMPTY(&vd->clients)) {
2977         update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_MAX);
2978         return;
2979     }
2980 
2981     graphic_hw_update(vd->dcl.con);
2982 
2983     if (vnc_trylock_display(vd)) {
2984         update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
2985         return;
2986     }
2987 
2988     has_dirty = vnc_refresh_server_surface(vd);
2989     vnc_unlock_display(vd);
2990 
2991     QTAILQ_FOREACH_SAFE(vs, &vd->clients, next, vn) {
2992         rects += vnc_update_client(vs, has_dirty, false);
2993         /* vs might be free()ed here */
2994     }
2995 
2996     if (has_dirty && rects) {
2997         vd->dcl.update_interval /= 2;
2998         if (vd->dcl.update_interval < VNC_REFRESH_INTERVAL_BASE) {
2999             vd->dcl.update_interval = VNC_REFRESH_INTERVAL_BASE;
3000         }
3001     } else {
3002         vd->dcl.update_interval += VNC_REFRESH_INTERVAL_INC;
3003         if (vd->dcl.update_interval > VNC_REFRESH_INTERVAL_MAX) {
3004             vd->dcl.update_interval = VNC_REFRESH_INTERVAL_MAX;
3005         }
3006     }
3007 }
3008 
3009 static void vnc_connect(VncDisplay *vd, int csock,
3010                         bool skipauth, bool websocket)
3011 {
3012     VncState *vs = g_new0(VncState, 1);
3013     int i;
3014 
3015     vs->csock = csock;
3016     vs->vd = vd;
3017 
3018     buffer_init(&vs->input,          "vnc-input/%d", csock);
3019     buffer_init(&vs->output,         "vnc-output/%d", csock);
3020     buffer_init(&vs->ws_input,       "vnc-ws_input/%d", csock);
3021     buffer_init(&vs->ws_output,      "vnc-ws_output/%d", csock);
3022     buffer_init(&vs->jobs_buffer,    "vnc-jobs_buffer/%d", csock);
3023 
3024     buffer_init(&vs->tight.tight,    "vnc-tight/%d", csock);
3025     buffer_init(&vs->tight.zlib,     "vnc-tight-zlib/%d", csock);
3026     buffer_init(&vs->tight.gradient, "vnc-tight-gradient/%d", csock);
3027 #ifdef CONFIG_VNC_JPEG
3028     buffer_init(&vs->tight.jpeg,     "vnc-tight-jpeg/%d", csock);
3029 #endif
3030 #ifdef CONFIG_VNC_PNG
3031     buffer_init(&vs->tight.png,      "vnc-tight-png/%d", csock);
3032 #endif
3033     buffer_init(&vs->zlib.zlib,      "vnc-zlib/%d", csock);
3034     buffer_init(&vs->zrle.zrle,      "vnc-zrle/%d", csock);
3035     buffer_init(&vs->zrle.fb,        "vnc-zrle-fb/%d", csock);
3036     buffer_init(&vs->zrle.zlib,      "vnc-zrle-zlib/%d", csock);
3037 
3038     if (skipauth) {
3039 	vs->auth = VNC_AUTH_NONE;
3040 	vs->subauth = VNC_AUTH_INVALID;
3041     } else {
3042         if (websocket) {
3043             vs->auth = vd->ws_auth;
3044             vs->subauth = VNC_AUTH_INVALID;
3045         } else {
3046             vs->auth = vd->auth;
3047             vs->subauth = vd->subauth;
3048         }
3049     }
3050     VNC_DEBUG("Client sock=%d ws=%d auth=%d subauth=%d\n",
3051               csock, websocket, vs->auth, vs->subauth);
3052 
3053     vs->lossy_rect = g_malloc0(VNC_STAT_ROWS * sizeof (*vs->lossy_rect));
3054     for (i = 0; i < VNC_STAT_ROWS; ++i) {
3055         vs->lossy_rect[i] = g_new0(uint8_t, VNC_STAT_COLS);
3056     }
3057 
3058     VNC_DEBUG("New client on socket %d\n", csock);
3059     update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
3060     qemu_set_nonblock(vs->csock);
3061     if (websocket) {
3062         vs->websocket = 1;
3063         if (vd->ws_tls) {
3064             qemu_set_fd_handler(vs->csock, vncws_tls_handshake_io, NULL, vs);
3065         } else {
3066             qemu_set_fd_handler(vs->csock, vncws_handshake_read, NULL, vs);
3067         }
3068     } else
3069     {
3070         qemu_set_fd_handler(vs->csock, vnc_client_read, NULL, vs);
3071     }
3072 
3073     vnc_client_cache_addr(vs);
3074     vnc_qmp_event(vs, QAPI_EVENT_VNC_CONNECTED);
3075     vnc_set_share_mode(vs, VNC_SHARE_MODE_CONNECTING);
3076 
3077     if (!vs->websocket) {
3078         vnc_init_state(vs);
3079     }
3080 
3081     if (vd->num_connecting > vd->connections_limit) {
3082         QTAILQ_FOREACH(vs, &vd->clients, next) {
3083             if (vs->share_mode == VNC_SHARE_MODE_CONNECTING) {
3084                 vnc_disconnect_start(vs);
3085                 return;
3086             }
3087         }
3088     }
3089 }
3090 
3091 void vnc_init_state(VncState *vs)
3092 {
3093     vs->initialized = true;
3094     VncDisplay *vd = vs->vd;
3095     bool first_client = QTAILQ_EMPTY(&vd->clients);
3096 
3097     vs->last_x = -1;
3098     vs->last_y = -1;
3099 
3100     vs->as.freq = 44100;
3101     vs->as.nchannels = 2;
3102     vs->as.fmt = AUD_FMT_S16;
3103     vs->as.endianness = 0;
3104 
3105     qemu_mutex_init(&vs->output_mutex);
3106     vs->bh = qemu_bh_new(vnc_jobs_bh, vs);
3107 
3108     QTAILQ_INSERT_TAIL(&vd->clients, vs, next);
3109     if (first_client) {
3110         vnc_update_server_surface(vd);
3111     }
3112 
3113     graphic_hw_update(vd->dcl.con);
3114 
3115     vnc_write(vs, "RFB 003.008\n", 12);
3116     vnc_flush(vs);
3117     vnc_read_when(vs, protocol_version, 12);
3118     reset_keys(vs);
3119     if (vs->vd->lock_key_sync)
3120         vs->led = qemu_add_led_event_handler(kbd_leds, vs);
3121 
3122     vs->mouse_mode_notifier.notify = check_pointer_type_change;
3123     qemu_add_mouse_mode_change_notifier(&vs->mouse_mode_notifier);
3124 
3125     /* vs might be free()ed here */
3126 }
3127 
3128 static void vnc_listen_read(void *opaque, bool websocket)
3129 {
3130     VncDisplay *vs = opaque;
3131     struct sockaddr_in addr;
3132     socklen_t addrlen = sizeof(addr);
3133     int csock;
3134 
3135     /* Catch-up */
3136     graphic_hw_update(vs->dcl.con);
3137     if (websocket) {
3138         csock = qemu_accept(vs->lwebsock, (struct sockaddr *)&addr, &addrlen);
3139     } else {
3140         csock = qemu_accept(vs->lsock, (struct sockaddr *)&addr, &addrlen);
3141     }
3142 
3143     if (csock != -1) {
3144         socket_set_nodelay(csock);
3145         vnc_connect(vs, csock, false, websocket);
3146     }
3147 }
3148 
3149 static void vnc_listen_regular_read(void *opaque)
3150 {
3151     vnc_listen_read(opaque, false);
3152 }
3153 
3154 static void vnc_listen_websocket_read(void *opaque)
3155 {
3156     vnc_listen_read(opaque, true);
3157 }
3158 
3159 static const DisplayChangeListenerOps dcl_ops = {
3160     .dpy_name             = "vnc",
3161     .dpy_refresh          = vnc_refresh,
3162     .dpy_gfx_copy         = vnc_dpy_copy,
3163     .dpy_gfx_update       = vnc_dpy_update,
3164     .dpy_gfx_switch       = vnc_dpy_switch,
3165     .dpy_gfx_check_format = qemu_pixman_check_format,
3166     .dpy_mouse_set        = vnc_mouse_set,
3167     .dpy_cursor_define    = vnc_dpy_cursor_define,
3168 };
3169 
3170 void vnc_display_init(const char *id)
3171 {
3172     VncDisplay *vs;
3173 
3174     if (vnc_display_find(id) != NULL) {
3175         return;
3176     }
3177     vs = g_malloc0(sizeof(*vs));
3178 
3179     vs->id = strdup(id);
3180     QTAILQ_INSERT_TAIL(&vnc_displays, vs, next);
3181 
3182     vs->lsock = -1;
3183     vs->lwebsock = -1;
3184 
3185     QTAILQ_INIT(&vs->clients);
3186     vs->expires = TIME_MAX;
3187 
3188     if (keyboard_layout) {
3189         trace_vnc_key_map_init(keyboard_layout);
3190         vs->kbd_layout = init_keyboard_layout(name2keysym, keyboard_layout);
3191     } else {
3192         vs->kbd_layout = init_keyboard_layout(name2keysym, "en-us");
3193     }
3194 
3195     if (!vs->kbd_layout)
3196         exit(1);
3197 
3198     qemu_mutex_init(&vs->mutex);
3199     vnc_start_worker_thread();
3200 
3201     vs->dcl.ops = &dcl_ops;
3202     register_displaychangelistener(&vs->dcl);
3203 }
3204 
3205 
3206 static void vnc_display_close(VncDisplay *vs)
3207 {
3208     if (!vs)
3209         return;
3210     vs->enabled = false;
3211     vs->is_unix = false;
3212     if (vs->lsock != -1) {
3213         qemu_set_fd_handler(vs->lsock, NULL, NULL, NULL);
3214         close(vs->lsock);
3215         vs->lsock = -1;
3216     }
3217     vs->ws_enabled = false;
3218     if (vs->lwebsock != -1) {
3219         qemu_set_fd_handler(vs->lwebsock, NULL, NULL, NULL);
3220         close(vs->lwebsock);
3221         vs->lwebsock = -1;
3222     }
3223     vs->auth = VNC_AUTH_INVALID;
3224     vs->subauth = VNC_AUTH_INVALID;
3225     if (vs->tlscreds) {
3226         object_unparent(OBJECT(vs->tlscreds));
3227     }
3228     g_free(vs->tlsaclname);
3229     vs->tlsaclname = NULL;
3230 }
3231 
3232 int vnc_display_password(const char *id, const char *password)
3233 {
3234     VncDisplay *vs = vnc_display_find(id);
3235 
3236     if (!vs) {
3237         return -EINVAL;
3238     }
3239     if (vs->auth == VNC_AUTH_NONE) {
3240         error_printf_unless_qmp("If you want use passwords please enable "
3241                                 "password auth using '-vnc ${dpy},password'.");
3242         return -EINVAL;
3243     }
3244 
3245     g_free(vs->password);
3246     vs->password = g_strdup(password);
3247 
3248     return 0;
3249 }
3250 
3251 int vnc_display_pw_expire(const char *id, time_t expires)
3252 {
3253     VncDisplay *vs = vnc_display_find(id);
3254 
3255     if (!vs) {
3256         return -EINVAL;
3257     }
3258 
3259     vs->expires = expires;
3260     return 0;
3261 }
3262 
3263 char *vnc_display_local_addr(const char *id)
3264 {
3265     VncDisplay *vs = vnc_display_find(id);
3266 
3267     assert(vs);
3268     return vnc_socket_local_addr("%s:%s", vs->lsock);
3269 }
3270 
3271 static QemuOptsList qemu_vnc_opts = {
3272     .name = "vnc",
3273     .head = QTAILQ_HEAD_INITIALIZER(qemu_vnc_opts.head),
3274     .implied_opt_name = "vnc",
3275     .desc = {
3276         {
3277             .name = "vnc",
3278             .type = QEMU_OPT_STRING,
3279         },{
3280             .name = "websocket",
3281             .type = QEMU_OPT_STRING,
3282         },{
3283             .name = "tls-creds",
3284             .type = QEMU_OPT_STRING,
3285         },{
3286             /* Deprecated in favour of tls-creds */
3287             .name = "x509",
3288             .type = QEMU_OPT_STRING,
3289         },{
3290             .name = "share",
3291             .type = QEMU_OPT_STRING,
3292         },{
3293             .name = "display",
3294             .type = QEMU_OPT_STRING,
3295         },{
3296             .name = "head",
3297             .type = QEMU_OPT_NUMBER,
3298         },{
3299             .name = "connections",
3300             .type = QEMU_OPT_NUMBER,
3301         },{
3302             .name = "to",
3303             .type = QEMU_OPT_NUMBER,
3304         },{
3305             .name = "ipv4",
3306             .type = QEMU_OPT_BOOL,
3307         },{
3308             .name = "ipv6",
3309             .type = QEMU_OPT_BOOL,
3310         },{
3311             .name = "password",
3312             .type = QEMU_OPT_BOOL,
3313         },{
3314             .name = "reverse",
3315             .type = QEMU_OPT_BOOL,
3316         },{
3317             .name = "lock-key-sync",
3318             .type = QEMU_OPT_BOOL,
3319         },{
3320             .name = "sasl",
3321             .type = QEMU_OPT_BOOL,
3322         },{
3323             /* Deprecated in favour of tls-creds */
3324             .name = "tls",
3325             .type = QEMU_OPT_BOOL,
3326         },{
3327             /* Deprecated in favour of tls-creds */
3328             .name = "x509verify",
3329             .type = QEMU_OPT_STRING,
3330         },{
3331             .name = "acl",
3332             .type = QEMU_OPT_BOOL,
3333         },{
3334             .name = "lossy",
3335             .type = QEMU_OPT_BOOL,
3336         },{
3337             .name = "non-adaptive",
3338             .type = QEMU_OPT_BOOL,
3339         },
3340         { /* end of list */ }
3341     },
3342 };
3343 
3344 
3345 static int
3346 vnc_display_setup_auth(VncDisplay *vs,
3347                        bool password,
3348                        bool sasl,
3349                        bool websocket,
3350                        Error **errp)
3351 {
3352     /*
3353      * We have a choice of 3 authentication options
3354      *
3355      *   1. none
3356      *   2. vnc
3357      *   3. sasl
3358      *
3359      * The channel can be run in 2 modes
3360      *
3361      *   1. clear
3362      *   2. tls
3363      *
3364      * And TLS can use 2 types of credentials
3365      *
3366      *   1. anon
3367      *   2. x509
3368      *
3369      * We thus have 9 possible logical combinations
3370      *
3371      *   1. clear + none
3372      *   2. clear + vnc
3373      *   3. clear + sasl
3374      *   4. tls + anon + none
3375      *   5. tls + anon + vnc
3376      *   6. tls + anon + sasl
3377      *   7. tls + x509 + none
3378      *   8. tls + x509 + vnc
3379      *   9. tls + x509 + sasl
3380      *
3381      * These need to be mapped into the VNC auth schemes
3382      * in an appropriate manner. In regular VNC, all the
3383      * TLS options get mapped into VNC_AUTH_VENCRYPT
3384      * sub-auth types.
3385      *
3386      * In websockets, the https:// protocol already provides
3387      * TLS support, so there is no need to make use of the
3388      * VeNCrypt extension. Furthermore, websockets browser
3389      * clients could not use VeNCrypt even if they wanted to,
3390      * as they cannot control when the TLS handshake takes
3391      * place. Thus there is no option but to rely on https://,
3392      * meaning combinations 4->6 and 7->9 will be mapped to
3393      * VNC auth schemes in the same way as combos 1->3.
3394      *
3395      * Regardless of fact that we have a different mapping to
3396      * VNC auth mechs for plain VNC vs websockets VNC, the end
3397      * result has the same security characteristics.
3398      */
3399     if (password) {
3400         if (vs->tlscreds) {
3401             vs->auth = VNC_AUTH_VENCRYPT;
3402             if (websocket) {
3403                 vs->ws_tls = true;
3404             }
3405             if (object_dynamic_cast(OBJECT(vs->tlscreds),
3406                                     TYPE_QCRYPTO_TLS_CREDS_X509)) {
3407                 VNC_DEBUG("Initializing VNC server with x509 password auth\n");
3408                 vs->subauth = VNC_AUTH_VENCRYPT_X509VNC;
3409             } else if (object_dynamic_cast(OBJECT(vs->tlscreds),
3410                                            TYPE_QCRYPTO_TLS_CREDS_ANON)) {
3411                 VNC_DEBUG("Initializing VNC server with TLS password auth\n");
3412                 vs->subauth = VNC_AUTH_VENCRYPT_TLSVNC;
3413             } else {
3414                 error_setg(errp,
3415                            "Unsupported TLS cred type %s",
3416                            object_get_typename(OBJECT(vs->tlscreds)));
3417                 return -1;
3418             }
3419         } else {
3420             VNC_DEBUG("Initializing VNC server with password auth\n");
3421             vs->auth = VNC_AUTH_VNC;
3422             vs->subauth = VNC_AUTH_INVALID;
3423         }
3424         if (websocket) {
3425             vs->ws_auth = VNC_AUTH_VNC;
3426         } else {
3427             vs->ws_auth = VNC_AUTH_INVALID;
3428         }
3429     } else if (sasl) {
3430         if (vs->tlscreds) {
3431             vs->auth = VNC_AUTH_VENCRYPT;
3432             if (websocket) {
3433                 vs->ws_tls = true;
3434             }
3435             if (object_dynamic_cast(OBJECT(vs->tlscreds),
3436                                     TYPE_QCRYPTO_TLS_CREDS_X509)) {
3437                 VNC_DEBUG("Initializing VNC server with x509 SASL auth\n");
3438                 vs->subauth = VNC_AUTH_VENCRYPT_X509SASL;
3439             } else if (object_dynamic_cast(OBJECT(vs->tlscreds),
3440                                            TYPE_QCRYPTO_TLS_CREDS_ANON)) {
3441                 VNC_DEBUG("Initializing VNC server with TLS SASL auth\n");
3442                 vs->subauth = VNC_AUTH_VENCRYPT_TLSSASL;
3443             } else {
3444                 error_setg(errp,
3445                            "Unsupported TLS cred type %s",
3446                            object_get_typename(OBJECT(vs->tlscreds)));
3447                 return -1;
3448             }
3449         } else {
3450             VNC_DEBUG("Initializing VNC server with SASL auth\n");
3451             vs->auth = VNC_AUTH_SASL;
3452             vs->subauth = VNC_AUTH_INVALID;
3453         }
3454         if (websocket) {
3455             vs->ws_auth = VNC_AUTH_SASL;
3456         } else {
3457             vs->ws_auth = VNC_AUTH_INVALID;
3458         }
3459     } else {
3460         if (vs->tlscreds) {
3461             vs->auth = VNC_AUTH_VENCRYPT;
3462             if (websocket) {
3463                 vs->ws_tls = true;
3464             }
3465             if (object_dynamic_cast(OBJECT(vs->tlscreds),
3466                                     TYPE_QCRYPTO_TLS_CREDS_X509)) {
3467                 VNC_DEBUG("Initializing VNC server with x509 no auth\n");
3468                 vs->subauth = VNC_AUTH_VENCRYPT_X509NONE;
3469             } else if (object_dynamic_cast(OBJECT(vs->tlscreds),
3470                                            TYPE_QCRYPTO_TLS_CREDS_ANON)) {
3471                 VNC_DEBUG("Initializing VNC server with TLS no auth\n");
3472                 vs->subauth = VNC_AUTH_VENCRYPT_TLSNONE;
3473             } else {
3474                 error_setg(errp,
3475                            "Unsupported TLS cred type %s",
3476                            object_get_typename(OBJECT(vs->tlscreds)));
3477                 return -1;
3478             }
3479         } else {
3480             VNC_DEBUG("Initializing VNC server with no auth\n");
3481             vs->auth = VNC_AUTH_NONE;
3482             vs->subauth = VNC_AUTH_INVALID;
3483         }
3484         if (websocket) {
3485             vs->ws_auth = VNC_AUTH_NONE;
3486         } else {
3487             vs->ws_auth = VNC_AUTH_INVALID;
3488         }
3489     }
3490     return 0;
3491 }
3492 
3493 
3494 /*
3495  * Handle back compat with old CLI syntax by creating some
3496  * suitable QCryptoTLSCreds objects
3497  */
3498 static QCryptoTLSCreds *
3499 vnc_display_create_creds(bool x509,
3500                          bool x509verify,
3501                          const char *dir,
3502                          const char *id,
3503                          Error **errp)
3504 {
3505     gchar *credsid = g_strdup_printf("tlsvnc%s", id);
3506     Object *parent = object_get_objects_root();
3507     Object *creds;
3508     Error *err = NULL;
3509 
3510     if (x509) {
3511         creds = object_new_with_props(TYPE_QCRYPTO_TLS_CREDS_X509,
3512                                       parent,
3513                                       credsid,
3514                                       &err,
3515                                       "endpoint", "server",
3516                                       "dir", dir,
3517                                       "verify-peer", x509verify ? "yes" : "no",
3518                                       NULL);
3519     } else {
3520         creds = object_new_with_props(TYPE_QCRYPTO_TLS_CREDS_ANON,
3521                                       parent,
3522                                       credsid,
3523                                       &err,
3524                                       "endpoint", "server",
3525                                       NULL);
3526     }
3527 
3528     g_free(credsid);
3529 
3530     if (err) {
3531         error_propagate(errp, err);
3532         return NULL;
3533     }
3534 
3535     return QCRYPTO_TLS_CREDS(creds);
3536 }
3537 
3538 
3539 void vnc_display_open(const char *id, Error **errp)
3540 {
3541     VncDisplay *vs = vnc_display_find(id);
3542     QemuOpts *opts = qemu_opts_find(&qemu_vnc_opts, id);
3543     SocketAddress *saddr = NULL, *wsaddr = NULL;
3544     const char *share, *device_id;
3545     QemuConsole *con;
3546     bool password = false;
3547     bool reverse = false;
3548     const char *vnc;
3549     char *h;
3550     const char *credid;
3551     bool sasl = false;
3552 #ifdef CONFIG_VNC_SASL
3553     int saslErr;
3554 #endif
3555     int acl = 0;
3556     int lock_key_sync = 1;
3557 
3558     if (!vs) {
3559         error_setg(errp, "VNC display not active");
3560         return;
3561     }
3562     vnc_display_close(vs);
3563 
3564     if (!opts) {
3565         return;
3566     }
3567     vnc = qemu_opt_get(opts, "vnc");
3568     if (!vnc || strcmp(vnc, "none") == 0) {
3569         return;
3570     }
3571 
3572     h = strrchr(vnc, ':');
3573     if (h) {
3574         size_t hlen = h - vnc;
3575 
3576         const char *websocket = qemu_opt_get(opts, "websocket");
3577         int to = qemu_opt_get_number(opts, "to", 0);
3578         bool has_ipv4 = qemu_opt_get_bool(opts, "ipv4", false);
3579         bool has_ipv6 = qemu_opt_get_bool(opts, "ipv6", false);
3580 
3581         saddr = g_new0(SocketAddress, 1);
3582         if (websocket) {
3583             if (!qcrypto_hash_supports(QCRYPTO_HASH_ALG_SHA1)) {
3584                 error_setg(errp,
3585                            "SHA1 hash support is required for websockets");
3586                 goto fail;
3587             }
3588 
3589             wsaddr = g_new0(SocketAddress, 1);
3590             vs->ws_enabled = true;
3591         }
3592 
3593         if (strncmp(vnc, "unix:", 5) == 0) {
3594             saddr->type = SOCKET_ADDRESS_KIND_UNIX;
3595             saddr->u.q_unix = g_new0(UnixSocketAddress, 1);
3596             saddr->u.q_unix->path = g_strdup(vnc + 5);
3597 
3598             if (vs->ws_enabled) {
3599                 error_setg(errp, "UNIX sockets not supported with websock");
3600                 goto fail;
3601             }
3602         } else {
3603             unsigned long long baseport;
3604             saddr->type = SOCKET_ADDRESS_KIND_INET;
3605             saddr->u.inet = g_new0(InetSocketAddress, 1);
3606             if (vnc[0] == '[' && vnc[hlen - 1] == ']') {
3607                 saddr->u.inet->host = g_strndup(vnc + 1, hlen - 2);
3608             } else {
3609                 saddr->u.inet->host = g_strndup(vnc, hlen);
3610             }
3611             if (parse_uint_full(h + 1, &baseport, 10) < 0) {
3612                 error_setg(errp, "can't convert to a number: %s", h + 1);
3613                 goto fail;
3614             }
3615             if (baseport > 65535 ||
3616                 baseport + 5900 > 65535) {
3617                 error_setg(errp, "port %s out of range", h + 1);
3618                 goto fail;
3619             }
3620             saddr->u.inet->port = g_strdup_printf(
3621                 "%d", (int)baseport + 5900);
3622 
3623             if (to) {
3624                 saddr->u.inet->has_to = true;
3625                 saddr->u.inet->to = to + 5900;
3626             }
3627             saddr->u.inet->ipv4 = saddr->u.inet->has_ipv4 = has_ipv4;
3628             saddr->u.inet->ipv6 = saddr->u.inet->has_ipv6 = has_ipv6;
3629 
3630             if (vs->ws_enabled) {
3631                 wsaddr->type = SOCKET_ADDRESS_KIND_INET;
3632                 wsaddr->u.inet = g_new0(InetSocketAddress, 1);
3633                 wsaddr->u.inet->host = g_strdup(saddr->u.inet->host);
3634                 wsaddr->u.inet->port = g_strdup(websocket);
3635 
3636                 if (to) {
3637                     wsaddr->u.inet->has_to = true;
3638                     wsaddr->u.inet->to = to;
3639                 }
3640                 wsaddr->u.inet->ipv4 = wsaddr->u.inet->has_ipv4 = has_ipv4;
3641                 wsaddr->u.inet->ipv6 = wsaddr->u.inet->has_ipv6 = has_ipv6;
3642             }
3643         }
3644     } else {
3645         error_setg(errp, "no vnc port specified");
3646         goto fail;
3647     }
3648 
3649     password = qemu_opt_get_bool(opts, "password", false);
3650     if (password) {
3651         if (fips_get_state()) {
3652             error_setg(errp,
3653                        "VNC password auth disabled due to FIPS mode, "
3654                        "consider using the VeNCrypt or SASL authentication "
3655                        "methods as an alternative");
3656             goto fail;
3657         }
3658         if (!qcrypto_cipher_supports(
3659                 QCRYPTO_CIPHER_ALG_DES_RFB)) {
3660             error_setg(errp,
3661                        "Cipher backend does not support DES RFB algorithm");
3662             goto fail;
3663         }
3664     }
3665 
3666     reverse = qemu_opt_get_bool(opts, "reverse", false);
3667     lock_key_sync = qemu_opt_get_bool(opts, "lock-key-sync", true);
3668     sasl = qemu_opt_get_bool(opts, "sasl", false);
3669 #ifndef CONFIG_VNC_SASL
3670     if (sasl) {
3671         error_setg(errp, "VNC SASL auth requires cyrus-sasl support");
3672         goto fail;
3673     }
3674 #endif /* CONFIG_VNC_SASL */
3675     credid = qemu_opt_get(opts, "tls-creds");
3676     if (credid) {
3677         Object *creds;
3678         if (qemu_opt_get(opts, "tls") ||
3679             qemu_opt_get(opts, "x509") ||
3680             qemu_opt_get(opts, "x509verify")) {
3681             error_setg(errp,
3682                        "'credid' parameter is mutually exclusive with "
3683                        "'tls', 'x509' and 'x509verify' parameters");
3684             goto fail;
3685         }
3686 
3687         creds = object_resolve_path_component(
3688             object_get_objects_root(), credid);
3689         if (!creds) {
3690             error_setg(errp, "No TLS credentials with id '%s'",
3691                        credid);
3692             goto fail;
3693         }
3694         vs->tlscreds = (QCryptoTLSCreds *)
3695             object_dynamic_cast(creds,
3696                                 TYPE_QCRYPTO_TLS_CREDS);
3697         if (!vs->tlscreds) {
3698             error_setg(errp, "Object with id '%s' is not TLS credentials",
3699                        credid);
3700             goto fail;
3701         }
3702         object_ref(OBJECT(vs->tlscreds));
3703 
3704         if (vs->tlscreds->endpoint != QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) {
3705             error_setg(errp,
3706                        "Expecting TLS credentials with a server endpoint");
3707             goto fail;
3708         }
3709     } else {
3710         const char *path;
3711         bool tls = false, x509 = false, x509verify = false;
3712         tls  = qemu_opt_get_bool(opts, "tls", false);
3713         if (tls) {
3714             path = qemu_opt_get(opts, "x509");
3715 
3716             if (path) {
3717                 x509 = true;
3718             } else {
3719                 path = qemu_opt_get(opts, "x509verify");
3720                 if (path) {
3721                     x509 = true;
3722                     x509verify = true;
3723                 }
3724             }
3725             vs->tlscreds = vnc_display_create_creds(x509,
3726                                                     x509verify,
3727                                                     path,
3728                                                     vs->id,
3729                                                     errp);
3730             if (!vs->tlscreds) {
3731                 goto fail;
3732             }
3733         }
3734     }
3735     acl = qemu_opt_get_bool(opts, "acl", false);
3736 
3737     share = qemu_opt_get(opts, "share");
3738     if (share) {
3739         if (strcmp(share, "ignore") == 0) {
3740             vs->share_policy = VNC_SHARE_POLICY_IGNORE;
3741         } else if (strcmp(share, "allow-exclusive") == 0) {
3742             vs->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
3743         } else if (strcmp(share, "force-shared") == 0) {
3744             vs->share_policy = VNC_SHARE_POLICY_FORCE_SHARED;
3745         } else {
3746             error_setg(errp, "unknown vnc share= option");
3747             goto fail;
3748         }
3749     } else {
3750         vs->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
3751     }
3752     vs->connections_limit = qemu_opt_get_number(opts, "connections", 32);
3753 
3754 #ifdef CONFIG_VNC_JPEG
3755     vs->lossy = qemu_opt_get_bool(opts, "lossy", false);
3756 #endif
3757     vs->non_adaptive = qemu_opt_get_bool(opts, "non-adaptive", false);
3758     /* adaptive updates are only used with tight encoding and
3759      * if lossy updates are enabled so we can disable all the
3760      * calculations otherwise */
3761     if (!vs->lossy) {
3762         vs->non_adaptive = true;
3763     }
3764 
3765     if (acl) {
3766         if (strcmp(vs->id, "default") == 0) {
3767             vs->tlsaclname = g_strdup("vnc.x509dname");
3768         } else {
3769             vs->tlsaclname = g_strdup_printf("vnc.%s.x509dname", vs->id);
3770         }
3771         qemu_acl_init(vs->tlsaclname);
3772      }
3773 #ifdef CONFIG_VNC_SASL
3774     if (acl && sasl) {
3775         char *aclname;
3776 
3777         if (strcmp(vs->id, "default") == 0) {
3778             aclname = g_strdup("vnc.username");
3779         } else {
3780             aclname = g_strdup_printf("vnc.%s.username", vs->id);
3781         }
3782         vs->sasl.acl = qemu_acl_init(aclname);
3783         g_free(aclname);
3784     }
3785 #endif
3786 
3787     if (vnc_display_setup_auth(vs, password, sasl, vs->ws_enabled, errp) < 0) {
3788         goto fail;
3789     }
3790 
3791 #ifdef CONFIG_VNC_SASL
3792     if ((saslErr = sasl_server_init(NULL, "qemu")) != SASL_OK) {
3793         error_setg(errp, "Failed to initialize SASL auth: %s",
3794                    sasl_errstring(saslErr, NULL, NULL));
3795         goto fail;
3796     }
3797 #endif
3798     vs->lock_key_sync = lock_key_sync;
3799 
3800     device_id = qemu_opt_get(opts, "display");
3801     if (device_id) {
3802         DeviceState *dev;
3803         int head = qemu_opt_get_number(opts, "head", 0);
3804 
3805         dev = qdev_find_recursive(sysbus_get_default(), device_id);
3806         if (dev == NULL) {
3807             error_setg(errp, "Device '%s' not found", device_id);
3808             goto fail;
3809         }
3810 
3811         con = qemu_console_lookup_by_device(dev, head);
3812         if (con == NULL) {
3813             error_setg(errp, "Device %s is not bound to a QemuConsole",
3814                        device_id);
3815             goto fail;
3816         }
3817     } else {
3818         con = NULL;
3819     }
3820 
3821     if (con != vs->dcl.con) {
3822         unregister_displaychangelistener(&vs->dcl);
3823         vs->dcl.con = con;
3824         register_displaychangelistener(&vs->dcl);
3825     }
3826 
3827     if (reverse) {
3828         /* connect to viewer */
3829         int csock;
3830         vs->lsock = -1;
3831         vs->lwebsock = -1;
3832         if (vs->ws_enabled) {
3833             error_setg(errp, "Cannot use websockets in reverse mode");
3834             goto fail;
3835         }
3836         csock = socket_connect(saddr, errp, NULL, NULL);
3837         if (csock < 0) {
3838             goto fail;
3839         }
3840         vs->is_unix = saddr->type == SOCKET_ADDRESS_KIND_UNIX;
3841         vnc_connect(vs, csock, false, false);
3842     } else {
3843         /* listen for connects */
3844         vs->lsock = socket_listen(saddr, errp);
3845         if (vs->lsock < 0) {
3846             goto fail;
3847         }
3848         vs->is_unix = saddr->type == SOCKET_ADDRESS_KIND_UNIX;
3849         if (vs->ws_enabled) {
3850             vs->lwebsock = socket_listen(wsaddr, errp);
3851             if (vs->lwebsock < 0) {
3852                 if (vs->lsock != -1) {
3853                     close(vs->lsock);
3854                     vs->lsock = -1;
3855                 }
3856                 goto fail;
3857             }
3858         }
3859         vs->enabled = true;
3860         qemu_set_fd_handler(vs->lsock, vnc_listen_regular_read, NULL, vs);
3861         if (vs->ws_enabled) {
3862             qemu_set_fd_handler(vs->lwebsock, vnc_listen_websocket_read,
3863                                 NULL, vs);
3864         }
3865     }
3866 
3867     qapi_free_SocketAddress(saddr);
3868     qapi_free_SocketAddress(wsaddr);
3869     return;
3870 
3871 fail:
3872     qapi_free_SocketAddress(saddr);
3873     qapi_free_SocketAddress(wsaddr);
3874     vs->enabled = false;
3875     vs->ws_enabled = false;
3876 }
3877 
3878 void vnc_display_add_client(const char *id, int csock, bool skipauth)
3879 {
3880     VncDisplay *vs = vnc_display_find(id);
3881 
3882     if (!vs) {
3883         return;
3884     }
3885     vnc_connect(vs, csock, skipauth, false);
3886 }
3887 
3888 static void vnc_auto_assign_id(QemuOptsList *olist, QemuOpts *opts)
3889 {
3890     int i = 2;
3891     char *id;
3892 
3893     id = g_strdup("default");
3894     while (qemu_opts_find(olist, id)) {
3895         g_free(id);
3896         id = g_strdup_printf("vnc%d", i++);
3897     }
3898     qemu_opts_set_id(opts, id);
3899 }
3900 
3901 QemuOpts *vnc_parse(const char *str, Error **errp)
3902 {
3903     QemuOptsList *olist = qemu_find_opts("vnc");
3904     QemuOpts *opts = qemu_opts_parse(olist, str, true, errp);
3905     const char *id;
3906 
3907     if (!opts) {
3908         return NULL;
3909     }
3910 
3911     id = qemu_opts_id(opts);
3912     if (!id) {
3913         /* auto-assign id if not present */
3914         vnc_auto_assign_id(olist, opts);
3915     }
3916     return opts;
3917 }
3918 
3919 int vnc_init_func(void *opaque, QemuOpts *opts, Error **errp)
3920 {
3921     Error *local_err = NULL;
3922     char *id = (char *)qemu_opts_id(opts);
3923 
3924     assert(id);
3925     vnc_display_init(id);
3926     vnc_display_open(id, &local_err);
3927     if (local_err != NULL) {
3928         error_report("Failed to start VNC server: %s",
3929                      error_get_pretty(local_err));
3930         error_free(local_err);
3931         exit(1);
3932     }
3933     return 0;
3934 }
3935 
3936 static void vnc_register_config(void)
3937 {
3938     qemu_add_opts(&qemu_vnc_opts);
3939 }
3940 machine_init(vnc_register_config);
3941