xref: /openbmc/qemu/ui/vnc.c (revision f79081b4)
1 /*
2  * QEMU VNC display driver
3  *
4  * Copyright (C) 2006 Anthony Liguori <anthony@codemonkey.ws>
5  * Copyright (C) 2006 Fabrice Bellard
6  * Copyright (C) 2009 Red Hat, Inc
7  *
8  * Permission is hereby granted, free of charge, to any person obtaining a copy
9  * of this software and associated documentation files (the "Software"), to deal
10  * in the Software without restriction, including without limitation the rights
11  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
12  * copies of the Software, and to permit persons to whom the Software is
13  * furnished to do so, subject to the following conditions:
14  *
15  * The above copyright notice and this permission notice shall be included in
16  * all copies or substantial portions of the Software.
17  *
18  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
19  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
20  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
21  * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
22  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
23  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
24  * THE SOFTWARE.
25  */
26 
27 #include "qemu/osdep.h"
28 #include "vnc.h"
29 #include "vnc-jobs.h"
30 #include "trace.h"
31 #include "sysemu/sysemu.h"
32 #include "qemu/error-report.h"
33 #include "qemu/option.h"
34 #include "qemu/sockets.h"
35 #include "qemu/timer.h"
36 #include "authz/list.h"
37 #include "qemu/config-file.h"
38 #include "qapi/qapi-emit-events.h"
39 #include "qapi/qapi-events-ui.h"
40 #include "qapi/error.h"
41 #include "qapi/qapi-commands-ui.h"
42 #include "ui/input.h"
43 #include "crypto/hash.h"
44 #include "crypto/tlscredsanon.h"
45 #include "crypto/tlscredsx509.h"
46 #include "crypto/random.h"
47 #include "qom/object_interfaces.h"
48 #include "qemu/cutils.h"
49 #include "io/dns-resolver.h"
50 
51 #define VNC_REFRESH_INTERVAL_BASE GUI_REFRESH_INTERVAL_DEFAULT
52 #define VNC_REFRESH_INTERVAL_INC  50
53 #define VNC_REFRESH_INTERVAL_MAX  GUI_REFRESH_INTERVAL_IDLE
54 static const struct timeval VNC_REFRESH_STATS = { 0, 500000 };
55 static const struct timeval VNC_REFRESH_LOSSY = { 2, 0 };
56 
57 #include "vnc_keysym.h"
58 #include "crypto/cipher.h"
59 
60 static QTAILQ_HEAD(, VncDisplay) vnc_displays =
61     QTAILQ_HEAD_INITIALIZER(vnc_displays);
62 
63 static int vnc_cursor_define(VncState *vs);
64 static void vnc_update_throttle_offset(VncState *vs);
65 
66 static void vnc_set_share_mode(VncState *vs, VncShareMode mode)
67 {
68 #ifdef _VNC_DEBUG
69     static const char *mn[] = {
70         [0]                           = "undefined",
71         [VNC_SHARE_MODE_CONNECTING]   = "connecting",
72         [VNC_SHARE_MODE_SHARED]       = "shared",
73         [VNC_SHARE_MODE_EXCLUSIVE]    = "exclusive",
74         [VNC_SHARE_MODE_DISCONNECTED] = "disconnected",
75     };
76     fprintf(stderr, "%s/%p: %s -> %s\n", __func__,
77             vs->ioc, mn[vs->share_mode], mn[mode]);
78 #endif
79 
80     switch (vs->share_mode) {
81     case VNC_SHARE_MODE_CONNECTING:
82         vs->vd->num_connecting--;
83         break;
84     case VNC_SHARE_MODE_SHARED:
85         vs->vd->num_shared--;
86         break;
87     case VNC_SHARE_MODE_EXCLUSIVE:
88         vs->vd->num_exclusive--;
89         break;
90     default:
91         break;
92     }
93 
94     vs->share_mode = mode;
95 
96     switch (vs->share_mode) {
97     case VNC_SHARE_MODE_CONNECTING:
98         vs->vd->num_connecting++;
99         break;
100     case VNC_SHARE_MODE_SHARED:
101         vs->vd->num_shared++;
102         break;
103     case VNC_SHARE_MODE_EXCLUSIVE:
104         vs->vd->num_exclusive++;
105         break;
106     default:
107         break;
108     }
109 }
110 
111 
112 static void vnc_init_basic_info(SocketAddress *addr,
113                                 VncBasicInfo *info,
114                                 Error **errp)
115 {
116     switch (addr->type) {
117     case SOCKET_ADDRESS_TYPE_INET:
118         info->host = g_strdup(addr->u.inet.host);
119         info->service = g_strdup(addr->u.inet.port);
120         if (addr->u.inet.ipv6) {
121             info->family = NETWORK_ADDRESS_FAMILY_IPV6;
122         } else {
123             info->family = NETWORK_ADDRESS_FAMILY_IPV4;
124         }
125         break;
126 
127     case SOCKET_ADDRESS_TYPE_UNIX:
128         info->host = g_strdup("");
129         info->service = g_strdup(addr->u.q_unix.path);
130         info->family = NETWORK_ADDRESS_FAMILY_UNIX;
131         break;
132 
133     case SOCKET_ADDRESS_TYPE_VSOCK:
134     case SOCKET_ADDRESS_TYPE_FD:
135         error_setg(errp, "Unsupported socket address type %s",
136                    SocketAddressType_str(addr->type));
137         break;
138     default:
139         abort();
140     }
141 
142     return;
143 }
144 
145 static void vnc_init_basic_info_from_server_addr(QIOChannelSocket *ioc,
146                                                  VncBasicInfo *info,
147                                                  Error **errp)
148 {
149     SocketAddress *addr = NULL;
150 
151     if (!ioc) {
152         error_setg(errp, "No listener socket available");
153         return;
154     }
155 
156     addr = qio_channel_socket_get_local_address(ioc, errp);
157     if (!addr) {
158         return;
159     }
160 
161     vnc_init_basic_info(addr, info, errp);
162     qapi_free_SocketAddress(addr);
163 }
164 
165 static void vnc_init_basic_info_from_remote_addr(QIOChannelSocket *ioc,
166                                                  VncBasicInfo *info,
167                                                  Error **errp)
168 {
169     SocketAddress *addr = NULL;
170 
171     addr = qio_channel_socket_get_remote_address(ioc, errp);
172     if (!addr) {
173         return;
174     }
175 
176     vnc_init_basic_info(addr, info, errp);
177     qapi_free_SocketAddress(addr);
178 }
179 
180 static const char *vnc_auth_name(VncDisplay *vd) {
181     switch (vd->auth) {
182     case VNC_AUTH_INVALID:
183         return "invalid";
184     case VNC_AUTH_NONE:
185         return "none";
186     case VNC_AUTH_VNC:
187         return "vnc";
188     case VNC_AUTH_RA2:
189         return "ra2";
190     case VNC_AUTH_RA2NE:
191         return "ra2ne";
192     case VNC_AUTH_TIGHT:
193         return "tight";
194     case VNC_AUTH_ULTRA:
195         return "ultra";
196     case VNC_AUTH_TLS:
197         return "tls";
198     case VNC_AUTH_VENCRYPT:
199         switch (vd->subauth) {
200         case VNC_AUTH_VENCRYPT_PLAIN:
201             return "vencrypt+plain";
202         case VNC_AUTH_VENCRYPT_TLSNONE:
203             return "vencrypt+tls+none";
204         case VNC_AUTH_VENCRYPT_TLSVNC:
205             return "vencrypt+tls+vnc";
206         case VNC_AUTH_VENCRYPT_TLSPLAIN:
207             return "vencrypt+tls+plain";
208         case VNC_AUTH_VENCRYPT_X509NONE:
209             return "vencrypt+x509+none";
210         case VNC_AUTH_VENCRYPT_X509VNC:
211             return "vencrypt+x509+vnc";
212         case VNC_AUTH_VENCRYPT_X509PLAIN:
213             return "vencrypt+x509+plain";
214         case VNC_AUTH_VENCRYPT_TLSSASL:
215             return "vencrypt+tls+sasl";
216         case VNC_AUTH_VENCRYPT_X509SASL:
217             return "vencrypt+x509+sasl";
218         default:
219             return "vencrypt";
220         }
221     case VNC_AUTH_SASL:
222         return "sasl";
223     }
224     return "unknown";
225 }
226 
227 static VncServerInfo *vnc_server_info_get(VncDisplay *vd)
228 {
229     VncServerInfo *info;
230     Error *err = NULL;
231 
232     if (!vd->listener || !vd->listener->nsioc) {
233         return NULL;
234     }
235 
236     info = g_malloc0(sizeof(*info));
237     vnc_init_basic_info_from_server_addr(vd->listener->sioc[0],
238                                          qapi_VncServerInfo_base(info), &err);
239     info->has_auth = true;
240     info->auth = g_strdup(vnc_auth_name(vd));
241     if (err) {
242         qapi_free_VncServerInfo(info);
243         info = NULL;
244         error_free(err);
245     }
246     return info;
247 }
248 
249 static void vnc_client_cache_auth(VncState *client)
250 {
251     if (!client->info) {
252         return;
253     }
254 
255     if (client->tls) {
256         client->info->x509_dname =
257             qcrypto_tls_session_get_peer_name(client->tls);
258         client->info->has_x509_dname =
259             client->info->x509_dname != NULL;
260     }
261 #ifdef CONFIG_VNC_SASL
262     if (client->sasl.conn &&
263         client->sasl.username) {
264         client->info->has_sasl_username = true;
265         client->info->sasl_username = g_strdup(client->sasl.username);
266     }
267 #endif
268 }
269 
270 static void vnc_client_cache_addr(VncState *client)
271 {
272     Error *err = NULL;
273 
274     client->info = g_malloc0(sizeof(*client->info));
275     vnc_init_basic_info_from_remote_addr(client->sioc,
276                                          qapi_VncClientInfo_base(client->info),
277                                          &err);
278     if (err) {
279         qapi_free_VncClientInfo(client->info);
280         client->info = NULL;
281         error_free(err);
282     }
283 }
284 
285 static void vnc_qmp_event(VncState *vs, QAPIEvent event)
286 {
287     VncServerInfo *si;
288 
289     if (!vs->info) {
290         return;
291     }
292 
293     si = vnc_server_info_get(vs->vd);
294     if (!si) {
295         return;
296     }
297 
298     switch (event) {
299     case QAPI_EVENT_VNC_CONNECTED:
300         qapi_event_send_vnc_connected(si, qapi_VncClientInfo_base(vs->info));
301         break;
302     case QAPI_EVENT_VNC_INITIALIZED:
303         qapi_event_send_vnc_initialized(si, vs->info);
304         break;
305     case QAPI_EVENT_VNC_DISCONNECTED:
306         qapi_event_send_vnc_disconnected(si, vs->info);
307         break;
308     default:
309         break;
310     }
311 
312     qapi_free_VncServerInfo(si);
313 }
314 
315 static VncClientInfo *qmp_query_vnc_client(const VncState *client)
316 {
317     VncClientInfo *info;
318     Error *err = NULL;
319 
320     info = g_malloc0(sizeof(*info));
321 
322     vnc_init_basic_info_from_remote_addr(client->sioc,
323                                          qapi_VncClientInfo_base(info),
324                                          &err);
325     if (err) {
326         error_free(err);
327         qapi_free_VncClientInfo(info);
328         return NULL;
329     }
330 
331     info->websocket = client->websocket;
332 
333     if (client->tls) {
334         info->x509_dname = qcrypto_tls_session_get_peer_name(client->tls);
335         info->has_x509_dname = info->x509_dname != NULL;
336     }
337 #ifdef CONFIG_VNC_SASL
338     if (client->sasl.conn && client->sasl.username) {
339         info->has_sasl_username = true;
340         info->sasl_username = g_strdup(client->sasl.username);
341     }
342 #endif
343 
344     return info;
345 }
346 
347 static VncDisplay *vnc_display_find(const char *id)
348 {
349     VncDisplay *vd;
350 
351     if (id == NULL) {
352         return QTAILQ_FIRST(&vnc_displays);
353     }
354     QTAILQ_FOREACH(vd, &vnc_displays, next) {
355         if (strcmp(id, vd->id) == 0) {
356             return vd;
357         }
358     }
359     return NULL;
360 }
361 
362 static VncClientInfoList *qmp_query_client_list(VncDisplay *vd)
363 {
364     VncClientInfoList *cinfo, *prev = NULL;
365     VncState *client;
366 
367     QTAILQ_FOREACH(client, &vd->clients, next) {
368         cinfo = g_new0(VncClientInfoList, 1);
369         cinfo->value = qmp_query_vnc_client(client);
370         cinfo->next = prev;
371         prev = cinfo;
372     }
373     return prev;
374 }
375 
376 VncInfo *qmp_query_vnc(Error **errp)
377 {
378     VncInfo *info = g_malloc0(sizeof(*info));
379     VncDisplay *vd = vnc_display_find(NULL);
380     SocketAddress *addr = NULL;
381 
382     if (vd == NULL || !vd->listener || !vd->listener->nsioc) {
383         info->enabled = false;
384     } else {
385         info->enabled = true;
386 
387         /* for compatibility with the original command */
388         info->has_clients = true;
389         info->clients = qmp_query_client_list(vd);
390 
391         addr = qio_channel_socket_get_local_address(vd->listener->sioc[0],
392                                                     errp);
393         if (!addr) {
394             goto out_error;
395         }
396 
397         switch (addr->type) {
398         case SOCKET_ADDRESS_TYPE_INET:
399             info->host = g_strdup(addr->u.inet.host);
400             info->service = g_strdup(addr->u.inet.port);
401             if (addr->u.inet.ipv6) {
402                 info->family = NETWORK_ADDRESS_FAMILY_IPV6;
403             } else {
404                 info->family = NETWORK_ADDRESS_FAMILY_IPV4;
405             }
406             break;
407 
408         case SOCKET_ADDRESS_TYPE_UNIX:
409             info->host = g_strdup("");
410             info->service = g_strdup(addr->u.q_unix.path);
411             info->family = NETWORK_ADDRESS_FAMILY_UNIX;
412             break;
413 
414         case SOCKET_ADDRESS_TYPE_VSOCK:
415         case SOCKET_ADDRESS_TYPE_FD:
416             error_setg(errp, "Unsupported socket address type %s",
417                        SocketAddressType_str(addr->type));
418             goto out_error;
419         default:
420             abort();
421         }
422 
423         info->has_host = true;
424         info->has_service = true;
425         info->has_family = true;
426 
427         info->has_auth = true;
428         info->auth = g_strdup(vnc_auth_name(vd));
429     }
430 
431     qapi_free_SocketAddress(addr);
432     return info;
433 
434 out_error:
435     qapi_free_SocketAddress(addr);
436     qapi_free_VncInfo(info);
437     return NULL;
438 }
439 
440 
441 static void qmp_query_auth(int auth, int subauth,
442                            VncPrimaryAuth *qmp_auth,
443                            VncVencryptSubAuth *qmp_vencrypt,
444                            bool *qmp_has_vencrypt);
445 
446 static VncServerInfo2List *qmp_query_server_entry(QIOChannelSocket *ioc,
447                                                   bool websocket,
448                                                   int auth,
449                                                   int subauth,
450                                                   VncServerInfo2List *prev)
451 {
452     VncServerInfo2List *list;
453     VncServerInfo2 *info;
454     Error *err = NULL;
455     SocketAddress *addr;
456 
457     addr = qio_channel_socket_get_local_address(ioc, &err);
458     if (!addr) {
459         error_free(err);
460         return prev;
461     }
462 
463     info = g_new0(VncServerInfo2, 1);
464     vnc_init_basic_info(addr, qapi_VncServerInfo2_base(info), &err);
465     qapi_free_SocketAddress(addr);
466     if (err) {
467         qapi_free_VncServerInfo2(info);
468         error_free(err);
469         return prev;
470     }
471     info->websocket = websocket;
472 
473     qmp_query_auth(auth, subauth, &info->auth,
474                    &info->vencrypt, &info->has_vencrypt);
475 
476     list = g_new0(VncServerInfo2List, 1);
477     list->value = info;
478     list->next = prev;
479     return list;
480 }
481 
482 static void qmp_query_auth(int auth, int subauth,
483                            VncPrimaryAuth *qmp_auth,
484                            VncVencryptSubAuth *qmp_vencrypt,
485                            bool *qmp_has_vencrypt)
486 {
487     switch (auth) {
488     case VNC_AUTH_VNC:
489         *qmp_auth = VNC_PRIMARY_AUTH_VNC;
490         break;
491     case VNC_AUTH_RA2:
492         *qmp_auth = VNC_PRIMARY_AUTH_RA2;
493         break;
494     case VNC_AUTH_RA2NE:
495         *qmp_auth = VNC_PRIMARY_AUTH_RA2NE;
496         break;
497     case VNC_AUTH_TIGHT:
498         *qmp_auth = VNC_PRIMARY_AUTH_TIGHT;
499         break;
500     case VNC_AUTH_ULTRA:
501         *qmp_auth = VNC_PRIMARY_AUTH_ULTRA;
502         break;
503     case VNC_AUTH_TLS:
504         *qmp_auth = VNC_PRIMARY_AUTH_TLS;
505         break;
506     case VNC_AUTH_VENCRYPT:
507         *qmp_auth = VNC_PRIMARY_AUTH_VENCRYPT;
508         *qmp_has_vencrypt = true;
509         switch (subauth) {
510         case VNC_AUTH_VENCRYPT_PLAIN:
511             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_PLAIN;
512             break;
513         case VNC_AUTH_VENCRYPT_TLSNONE:
514             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_NONE;
515             break;
516         case VNC_AUTH_VENCRYPT_TLSVNC:
517             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_VNC;
518             break;
519         case VNC_AUTH_VENCRYPT_TLSPLAIN:
520             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_PLAIN;
521             break;
522         case VNC_AUTH_VENCRYPT_X509NONE:
523             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_NONE;
524             break;
525         case VNC_AUTH_VENCRYPT_X509VNC:
526             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_VNC;
527             break;
528         case VNC_AUTH_VENCRYPT_X509PLAIN:
529             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_PLAIN;
530             break;
531         case VNC_AUTH_VENCRYPT_TLSSASL:
532             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_SASL;
533             break;
534         case VNC_AUTH_VENCRYPT_X509SASL:
535             *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_SASL;
536             break;
537         default:
538             *qmp_has_vencrypt = false;
539             break;
540         }
541         break;
542     case VNC_AUTH_SASL:
543         *qmp_auth = VNC_PRIMARY_AUTH_SASL;
544         break;
545     case VNC_AUTH_NONE:
546     default:
547         *qmp_auth = VNC_PRIMARY_AUTH_NONE;
548         break;
549     }
550 }
551 
552 VncInfo2List *qmp_query_vnc_servers(Error **errp)
553 {
554     VncInfo2List *item, *prev = NULL;
555     VncInfo2 *info;
556     VncDisplay *vd;
557     DeviceState *dev;
558     size_t i;
559 
560     QTAILQ_FOREACH(vd, &vnc_displays, next) {
561         info = g_new0(VncInfo2, 1);
562         info->id = g_strdup(vd->id);
563         info->clients = qmp_query_client_list(vd);
564         qmp_query_auth(vd->auth, vd->subauth, &info->auth,
565                        &info->vencrypt, &info->has_vencrypt);
566         if (vd->dcl.con) {
567             dev = DEVICE(object_property_get_link(OBJECT(vd->dcl.con),
568                                                   "device", NULL));
569             info->has_display = true;
570             info->display = g_strdup(dev->id);
571         }
572         for (i = 0; vd->listener != NULL && i < vd->listener->nsioc; i++) {
573             info->server = qmp_query_server_entry(
574                 vd->listener->sioc[i], false, vd->auth, vd->subauth,
575                 info->server);
576         }
577         for (i = 0; vd->wslistener != NULL && i < vd->wslistener->nsioc; i++) {
578             info->server = qmp_query_server_entry(
579                 vd->wslistener->sioc[i], true, vd->ws_auth,
580                 vd->ws_subauth, info->server);
581         }
582 
583         item = g_new0(VncInfo2List, 1);
584         item->value = info;
585         item->next = prev;
586         prev = item;
587     }
588     return prev;
589 }
590 
591 /* TODO
592    1) Get the queue working for IO.
593    2) there is some weirdness when using the -S option (the screen is grey
594       and not totally invalidated
595    3) resolutions > 1024
596 */
597 
598 static int vnc_update_client(VncState *vs, int has_dirty);
599 static void vnc_disconnect_start(VncState *vs);
600 
601 static void vnc_colordepth(VncState *vs);
602 static void framebuffer_update_request(VncState *vs, int incremental,
603                                        int x_position, int y_position,
604                                        int w, int h);
605 static void vnc_refresh(DisplayChangeListener *dcl);
606 static int vnc_refresh_server_surface(VncDisplay *vd);
607 
608 static int vnc_width(VncDisplay *vd)
609 {
610     return MIN(VNC_MAX_WIDTH, ROUND_UP(surface_width(vd->ds),
611                                        VNC_DIRTY_PIXELS_PER_BIT));
612 }
613 
614 static int vnc_height(VncDisplay *vd)
615 {
616     return MIN(VNC_MAX_HEIGHT, surface_height(vd->ds));
617 }
618 
619 static void vnc_set_area_dirty(DECLARE_BITMAP(dirty[VNC_MAX_HEIGHT],
620                                VNC_MAX_WIDTH / VNC_DIRTY_PIXELS_PER_BIT),
621                                VncDisplay *vd,
622                                int x, int y, int w, int h)
623 {
624     int width = vnc_width(vd);
625     int height = vnc_height(vd);
626 
627     /* this is needed this to ensure we updated all affected
628      * blocks if x % VNC_DIRTY_PIXELS_PER_BIT != 0 */
629     w += (x % VNC_DIRTY_PIXELS_PER_BIT);
630     x -= (x % VNC_DIRTY_PIXELS_PER_BIT);
631 
632     x = MIN(x, width);
633     y = MIN(y, height);
634     w = MIN(x + w, width) - x;
635     h = MIN(y + h, height);
636 
637     for (; y < h; y++) {
638         bitmap_set(dirty[y], x / VNC_DIRTY_PIXELS_PER_BIT,
639                    DIV_ROUND_UP(w, VNC_DIRTY_PIXELS_PER_BIT));
640     }
641 }
642 
643 static void vnc_dpy_update(DisplayChangeListener *dcl,
644                            int x, int y, int w, int h)
645 {
646     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
647     struct VncSurface *s = &vd->guest;
648 
649     vnc_set_area_dirty(s->dirty, vd, x, y, w, h);
650 }
651 
652 void vnc_framebuffer_update(VncState *vs, int x, int y, int w, int h,
653                             int32_t encoding)
654 {
655     vnc_write_u16(vs, x);
656     vnc_write_u16(vs, y);
657     vnc_write_u16(vs, w);
658     vnc_write_u16(vs, h);
659 
660     vnc_write_s32(vs, encoding);
661 }
662 
663 
664 static void vnc_desktop_resize(VncState *vs)
665 {
666     if (vs->ioc == NULL || !vnc_has_feature(vs, VNC_FEATURE_RESIZE)) {
667         return;
668     }
669     if (vs->client_width == pixman_image_get_width(vs->vd->server) &&
670         vs->client_height == pixman_image_get_height(vs->vd->server)) {
671         return;
672     }
673 
674     assert(pixman_image_get_width(vs->vd->server) < 65536 &&
675            pixman_image_get_width(vs->vd->server) >= 0);
676     assert(pixman_image_get_height(vs->vd->server) < 65536 &&
677            pixman_image_get_height(vs->vd->server) >= 0);
678     vs->client_width = pixman_image_get_width(vs->vd->server);
679     vs->client_height = pixman_image_get_height(vs->vd->server);
680     vnc_lock_output(vs);
681     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
682     vnc_write_u8(vs, 0);
683     vnc_write_u16(vs, 1); /* number of rects */
684     vnc_framebuffer_update(vs, 0, 0, vs->client_width, vs->client_height,
685                            VNC_ENCODING_DESKTOPRESIZE);
686     vnc_unlock_output(vs);
687     vnc_flush(vs);
688 }
689 
690 static void vnc_abort_display_jobs(VncDisplay *vd)
691 {
692     VncState *vs;
693 
694     QTAILQ_FOREACH(vs, &vd->clients, next) {
695         vnc_lock_output(vs);
696         vs->abort = true;
697         vnc_unlock_output(vs);
698     }
699     QTAILQ_FOREACH(vs, &vd->clients, next) {
700         vnc_jobs_join(vs);
701     }
702     QTAILQ_FOREACH(vs, &vd->clients, next) {
703         vnc_lock_output(vs);
704         if (vs->update == VNC_STATE_UPDATE_NONE &&
705             vs->job_update != VNC_STATE_UPDATE_NONE) {
706             /* job aborted before completion */
707             vs->update = vs->job_update;
708             vs->job_update = VNC_STATE_UPDATE_NONE;
709         }
710         vs->abort = false;
711         vnc_unlock_output(vs);
712     }
713 }
714 
715 int vnc_server_fb_stride(VncDisplay *vd)
716 {
717     return pixman_image_get_stride(vd->server);
718 }
719 
720 void *vnc_server_fb_ptr(VncDisplay *vd, int x, int y)
721 {
722     uint8_t *ptr;
723 
724     ptr  = (uint8_t *)pixman_image_get_data(vd->server);
725     ptr += y * vnc_server_fb_stride(vd);
726     ptr += x * VNC_SERVER_FB_BYTES;
727     return ptr;
728 }
729 
730 static void vnc_update_server_surface(VncDisplay *vd)
731 {
732     int width, height;
733 
734     qemu_pixman_image_unref(vd->server);
735     vd->server = NULL;
736 
737     if (QTAILQ_EMPTY(&vd->clients)) {
738         return;
739     }
740 
741     width = vnc_width(vd);
742     height = vnc_height(vd);
743     vd->server = pixman_image_create_bits(VNC_SERVER_FB_FORMAT,
744                                           width, height,
745                                           NULL, 0);
746 
747     memset(vd->guest.dirty, 0x00, sizeof(vd->guest.dirty));
748     vnc_set_area_dirty(vd->guest.dirty, vd, 0, 0,
749                        width, height);
750 }
751 
752 static bool vnc_check_pageflip(DisplaySurface *s1,
753                                DisplaySurface *s2)
754 {
755     return (s1 != NULL &&
756             s2 != NULL &&
757             surface_width(s1) == surface_width(s2) &&
758             surface_height(s1) == surface_height(s2) &&
759             surface_format(s1) == surface_format(s2));
760 
761 }
762 
763 static void vnc_dpy_switch(DisplayChangeListener *dcl,
764                            DisplaySurface *surface)
765 {
766     static const char placeholder_msg[] =
767         "Display output is not active.";
768     static DisplaySurface *placeholder;
769     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
770     bool pageflip = vnc_check_pageflip(vd->ds, surface);
771     VncState *vs;
772 
773     if (surface == NULL) {
774         if (placeholder == NULL) {
775             placeholder = qemu_create_message_surface(640, 480, placeholder_msg);
776         }
777         surface = placeholder;
778     }
779 
780     vnc_abort_display_jobs(vd);
781     vd->ds = surface;
782 
783     /* guest surface */
784     qemu_pixman_image_unref(vd->guest.fb);
785     vd->guest.fb = pixman_image_ref(surface->image);
786     vd->guest.format = surface->format;
787 
788     if (pageflip) {
789         vnc_set_area_dirty(vd->guest.dirty, vd, 0, 0,
790                            surface_width(surface),
791                            surface_height(surface));
792         return;
793     }
794 
795     /* server surface */
796     vnc_update_server_surface(vd);
797 
798     QTAILQ_FOREACH(vs, &vd->clients, next) {
799         vnc_colordepth(vs);
800         vnc_desktop_resize(vs);
801         if (vs->vd->cursor) {
802             vnc_cursor_define(vs);
803         }
804         memset(vs->dirty, 0x00, sizeof(vs->dirty));
805         vnc_set_area_dirty(vs->dirty, vd, 0, 0,
806                            vnc_width(vd),
807                            vnc_height(vd));
808         vnc_update_throttle_offset(vs);
809     }
810 }
811 
812 /* fastest code */
813 static void vnc_write_pixels_copy(VncState *vs,
814                                   void *pixels, int size)
815 {
816     vnc_write(vs, pixels, size);
817 }
818 
819 /* slowest but generic code. */
820 void vnc_convert_pixel(VncState *vs, uint8_t *buf, uint32_t v)
821 {
822     uint8_t r, g, b;
823 
824 #if VNC_SERVER_FB_FORMAT == PIXMAN_FORMAT(32, PIXMAN_TYPE_ARGB, 0, 8, 8, 8)
825     r = (((v & 0x00ff0000) >> 16) << vs->client_pf.rbits) >> 8;
826     g = (((v & 0x0000ff00) >>  8) << vs->client_pf.gbits) >> 8;
827     b = (((v & 0x000000ff) >>  0) << vs->client_pf.bbits) >> 8;
828 #else
829 # error need some bits here if you change VNC_SERVER_FB_FORMAT
830 #endif
831     v = (r << vs->client_pf.rshift) |
832         (g << vs->client_pf.gshift) |
833         (b << vs->client_pf.bshift);
834     switch (vs->client_pf.bytes_per_pixel) {
835     case 1:
836         buf[0] = v;
837         break;
838     case 2:
839         if (vs->client_be) {
840             buf[0] = v >> 8;
841             buf[1] = v;
842         } else {
843             buf[1] = v >> 8;
844             buf[0] = v;
845         }
846         break;
847     default:
848     case 4:
849         if (vs->client_be) {
850             buf[0] = v >> 24;
851             buf[1] = v >> 16;
852             buf[2] = v >> 8;
853             buf[3] = v;
854         } else {
855             buf[3] = v >> 24;
856             buf[2] = v >> 16;
857             buf[1] = v >> 8;
858             buf[0] = v;
859         }
860         break;
861     }
862 }
863 
864 static void vnc_write_pixels_generic(VncState *vs,
865                                      void *pixels1, int size)
866 {
867     uint8_t buf[4];
868 
869     if (VNC_SERVER_FB_BYTES == 4) {
870         uint32_t *pixels = pixels1;
871         int n, i;
872         n = size >> 2;
873         for (i = 0; i < n; i++) {
874             vnc_convert_pixel(vs, buf, pixels[i]);
875             vnc_write(vs, buf, vs->client_pf.bytes_per_pixel);
876         }
877     }
878 }
879 
880 int vnc_raw_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
881 {
882     int i;
883     uint8_t *row;
884     VncDisplay *vd = vs->vd;
885 
886     row = vnc_server_fb_ptr(vd, x, y);
887     for (i = 0; i < h; i++) {
888         vs->write_pixels(vs, row, w * VNC_SERVER_FB_BYTES);
889         row += vnc_server_fb_stride(vd);
890     }
891     return 1;
892 }
893 
894 int vnc_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
895 {
896     int n = 0;
897     bool encode_raw = false;
898     size_t saved_offs = vs->output.offset;
899 
900     switch(vs->vnc_encoding) {
901         case VNC_ENCODING_ZLIB:
902             n = vnc_zlib_send_framebuffer_update(vs, x, y, w, h);
903             break;
904         case VNC_ENCODING_HEXTILE:
905             vnc_framebuffer_update(vs, x, y, w, h, VNC_ENCODING_HEXTILE);
906             n = vnc_hextile_send_framebuffer_update(vs, x, y, w, h);
907             break;
908         case VNC_ENCODING_TIGHT:
909             n = vnc_tight_send_framebuffer_update(vs, x, y, w, h);
910             break;
911         case VNC_ENCODING_TIGHT_PNG:
912             n = vnc_tight_png_send_framebuffer_update(vs, x, y, w, h);
913             break;
914         case VNC_ENCODING_ZRLE:
915             n = vnc_zrle_send_framebuffer_update(vs, x, y, w, h);
916             break;
917         case VNC_ENCODING_ZYWRLE:
918             n = vnc_zywrle_send_framebuffer_update(vs, x, y, w, h);
919             break;
920         default:
921             encode_raw = true;
922             break;
923     }
924 
925     /* If the client has the same pixel format as our internal buffer and
926      * a RAW encoding would need less space fall back to RAW encoding to
927      * save bandwidth and processing power in the client. */
928     if (!encode_raw && vs->write_pixels == vnc_write_pixels_copy &&
929         12 + h * w * VNC_SERVER_FB_BYTES <= (vs->output.offset - saved_offs)) {
930         vs->output.offset = saved_offs;
931         encode_raw = true;
932     }
933 
934     if (encode_raw) {
935         vnc_framebuffer_update(vs, x, y, w, h, VNC_ENCODING_RAW);
936         n = vnc_raw_send_framebuffer_update(vs, x, y, w, h);
937     }
938 
939     return n;
940 }
941 
942 static void vnc_mouse_set(DisplayChangeListener *dcl,
943                           int x, int y, int visible)
944 {
945     /* can we ask the client(s) to move the pointer ??? */
946 }
947 
948 static int vnc_cursor_define(VncState *vs)
949 {
950     QEMUCursor *c = vs->vd->cursor;
951     int isize;
952 
953     if (vnc_has_feature(vs, VNC_FEATURE_RICH_CURSOR)) {
954         vnc_lock_output(vs);
955         vnc_write_u8(vs,  VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
956         vnc_write_u8(vs,  0);  /*  padding     */
957         vnc_write_u16(vs, 1);  /*  # of rects  */
958         vnc_framebuffer_update(vs, c->hot_x, c->hot_y, c->width, c->height,
959                                VNC_ENCODING_RICH_CURSOR);
960         isize = c->width * c->height * vs->client_pf.bytes_per_pixel;
961         vnc_write_pixels_generic(vs, c->data, isize);
962         vnc_write(vs, vs->vd->cursor_mask, vs->vd->cursor_msize);
963         vnc_unlock_output(vs);
964         return 0;
965     }
966     return -1;
967 }
968 
969 static void vnc_dpy_cursor_define(DisplayChangeListener *dcl,
970                                   QEMUCursor *c)
971 {
972     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
973     VncState *vs;
974 
975     cursor_put(vd->cursor);
976     g_free(vd->cursor_mask);
977 
978     vd->cursor = c;
979     cursor_get(vd->cursor);
980     vd->cursor_msize = cursor_get_mono_bpl(c) * c->height;
981     vd->cursor_mask = g_malloc0(vd->cursor_msize);
982     cursor_get_mono_mask(c, 0, vd->cursor_mask);
983 
984     QTAILQ_FOREACH(vs, &vd->clients, next) {
985         vnc_cursor_define(vs);
986     }
987 }
988 
989 static int find_and_clear_dirty_height(VncState *vs,
990                                        int y, int last_x, int x, int height)
991 {
992     int h;
993 
994     for (h = 1; h < (height - y); h++) {
995         if (!test_bit(last_x, vs->dirty[y + h])) {
996             break;
997         }
998         bitmap_clear(vs->dirty[y + h], last_x, x - last_x);
999     }
1000 
1001     return h;
1002 }
1003 
1004 /*
1005  * Figure out how much pending data we should allow in the output
1006  * buffer before we throttle incremental display updates, and/or
1007  * drop audio samples.
1008  *
1009  * We allow for equiv of 1 full display's worth of FB updates,
1010  * and 1 second of audio samples. If audio backlog was larger
1011  * than that the client would already suffering awful audio
1012  * glitches, so dropping samples is no worse really).
1013  */
1014 static void vnc_update_throttle_offset(VncState *vs)
1015 {
1016     size_t offset =
1017         vs->client_width * vs->client_height * vs->client_pf.bytes_per_pixel;
1018 
1019     if (vs->audio_cap) {
1020         int bps;
1021         switch (vs->as.fmt) {
1022         default:
1023         case  AUDIO_FORMAT_U8:
1024         case  AUDIO_FORMAT_S8:
1025             bps = 1;
1026             break;
1027         case  AUDIO_FORMAT_U16:
1028         case  AUDIO_FORMAT_S16:
1029             bps = 2;
1030             break;
1031         case  AUDIO_FORMAT_U32:
1032         case  AUDIO_FORMAT_S32:
1033             bps = 4;
1034             break;
1035         }
1036         offset += vs->as.freq * bps * vs->as.nchannels;
1037     }
1038 
1039     /* Put a floor of 1MB on offset, so that if we have a large pending
1040      * buffer and the display is resized to a small size & back again
1041      * we don't suddenly apply a tiny send limit
1042      */
1043     offset = MAX(offset, 1024 * 1024);
1044 
1045     if (vs->throttle_output_offset != offset) {
1046         trace_vnc_client_throttle_threshold(
1047             vs, vs->ioc, vs->throttle_output_offset, offset, vs->client_width,
1048             vs->client_height, vs->client_pf.bytes_per_pixel, vs->audio_cap);
1049     }
1050 
1051     vs->throttle_output_offset = offset;
1052 }
1053 
1054 static bool vnc_should_update(VncState *vs)
1055 {
1056     switch (vs->update) {
1057     case VNC_STATE_UPDATE_NONE:
1058         break;
1059     case VNC_STATE_UPDATE_INCREMENTAL:
1060         /* Only allow incremental updates if the pending send queue
1061          * is less than the permitted threshold, and the job worker
1062          * is completely idle.
1063          */
1064         if (vs->output.offset < vs->throttle_output_offset &&
1065             vs->job_update == VNC_STATE_UPDATE_NONE) {
1066             return true;
1067         }
1068         trace_vnc_client_throttle_incremental(
1069             vs, vs->ioc, vs->job_update, vs->output.offset);
1070         break;
1071     case VNC_STATE_UPDATE_FORCE:
1072         /* Only allow forced updates if the pending send queue
1073          * does not contain a previous forced update, and the
1074          * job worker is completely idle.
1075          *
1076          * Note this means we'll queue a forced update, even if
1077          * the output buffer size is otherwise over the throttle
1078          * output limit.
1079          */
1080         if (vs->force_update_offset == 0 &&
1081             vs->job_update == VNC_STATE_UPDATE_NONE) {
1082             return true;
1083         }
1084         trace_vnc_client_throttle_forced(
1085             vs, vs->ioc, vs->job_update, vs->force_update_offset);
1086         break;
1087     }
1088     return false;
1089 }
1090 
1091 static int vnc_update_client(VncState *vs, int has_dirty)
1092 {
1093     VncDisplay *vd = vs->vd;
1094     VncJob *job;
1095     int y;
1096     int height, width;
1097     int n = 0;
1098 
1099     if (vs->disconnecting) {
1100         vnc_disconnect_finish(vs);
1101         return 0;
1102     }
1103 
1104     vs->has_dirty += has_dirty;
1105     if (!vnc_should_update(vs)) {
1106         return 0;
1107     }
1108 
1109     if (!vs->has_dirty && vs->update != VNC_STATE_UPDATE_FORCE) {
1110         return 0;
1111     }
1112 
1113     /*
1114      * Send screen updates to the vnc client using the server
1115      * surface and server dirty map.  guest surface updates
1116      * happening in parallel don't disturb us, the next pass will
1117      * send them to the client.
1118      */
1119     job = vnc_job_new(vs);
1120 
1121     height = pixman_image_get_height(vd->server);
1122     width = pixman_image_get_width(vd->server);
1123 
1124     y = 0;
1125     for (;;) {
1126         int x, h;
1127         unsigned long x2;
1128         unsigned long offset = find_next_bit((unsigned long *) &vs->dirty,
1129                                              height * VNC_DIRTY_BPL(vs),
1130                                              y * VNC_DIRTY_BPL(vs));
1131         if (offset == height * VNC_DIRTY_BPL(vs)) {
1132             /* no more dirty bits */
1133             break;
1134         }
1135         y = offset / VNC_DIRTY_BPL(vs);
1136         x = offset % VNC_DIRTY_BPL(vs);
1137         x2 = find_next_zero_bit((unsigned long *) &vs->dirty[y],
1138                                 VNC_DIRTY_BPL(vs), x);
1139         bitmap_clear(vs->dirty[y], x, x2 - x);
1140         h = find_and_clear_dirty_height(vs, y, x, x2, height);
1141         x2 = MIN(x2, width / VNC_DIRTY_PIXELS_PER_BIT);
1142         if (x2 > x) {
1143             n += vnc_job_add_rect(job, x * VNC_DIRTY_PIXELS_PER_BIT, y,
1144                                   (x2 - x) * VNC_DIRTY_PIXELS_PER_BIT, h);
1145         }
1146         if (!x && x2 == width / VNC_DIRTY_PIXELS_PER_BIT) {
1147             y += h;
1148             if (y == height) {
1149                 break;
1150             }
1151         }
1152     }
1153 
1154     vs->job_update = vs->update;
1155     vs->update = VNC_STATE_UPDATE_NONE;
1156     vnc_job_push(job);
1157     vs->has_dirty = 0;
1158     return n;
1159 }
1160 
1161 /* audio */
1162 static void audio_capture_notify(void *opaque, audcnotification_e cmd)
1163 {
1164     VncState *vs = opaque;
1165 
1166     assert(vs->magic == VNC_MAGIC);
1167     switch (cmd) {
1168     case AUD_CNOTIFY_DISABLE:
1169         vnc_lock_output(vs);
1170         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
1171         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
1172         vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_END);
1173         vnc_unlock_output(vs);
1174         vnc_flush(vs);
1175         break;
1176 
1177     case AUD_CNOTIFY_ENABLE:
1178         vnc_lock_output(vs);
1179         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
1180         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
1181         vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_BEGIN);
1182         vnc_unlock_output(vs);
1183         vnc_flush(vs);
1184         break;
1185     }
1186 }
1187 
1188 static void audio_capture_destroy(void *opaque)
1189 {
1190 }
1191 
1192 static void audio_capture(void *opaque, void *buf, int size)
1193 {
1194     VncState *vs = opaque;
1195 
1196     assert(vs->magic == VNC_MAGIC);
1197     vnc_lock_output(vs);
1198     if (vs->output.offset < vs->throttle_output_offset) {
1199         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
1200         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
1201         vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_DATA);
1202         vnc_write_u32(vs, size);
1203         vnc_write(vs, buf, size);
1204     } else {
1205         trace_vnc_client_throttle_audio(vs, vs->ioc, vs->output.offset);
1206     }
1207     vnc_unlock_output(vs);
1208     vnc_flush(vs);
1209 }
1210 
1211 static void audio_add(VncState *vs)
1212 {
1213     struct audio_capture_ops ops;
1214 
1215     if (vs->audio_cap) {
1216         error_report("audio already running");
1217         return;
1218     }
1219 
1220     ops.notify = audio_capture_notify;
1221     ops.destroy = audio_capture_destroy;
1222     ops.capture = audio_capture;
1223 
1224     vs->audio_cap = AUD_add_capture(&vs->as, &ops, vs);
1225     if (!vs->audio_cap) {
1226         error_report("Failed to add audio capture");
1227     }
1228 }
1229 
1230 static void audio_del(VncState *vs)
1231 {
1232     if (vs->audio_cap) {
1233         AUD_del_capture(vs->audio_cap, vs);
1234         vs->audio_cap = NULL;
1235     }
1236 }
1237 
1238 static void vnc_disconnect_start(VncState *vs)
1239 {
1240     if (vs->disconnecting) {
1241         return;
1242     }
1243     trace_vnc_client_disconnect_start(vs, vs->ioc);
1244     vnc_set_share_mode(vs, VNC_SHARE_MODE_DISCONNECTED);
1245     if (vs->ioc_tag) {
1246         g_source_remove(vs->ioc_tag);
1247         vs->ioc_tag = 0;
1248     }
1249     qio_channel_close(vs->ioc, NULL);
1250     vs->disconnecting = TRUE;
1251 }
1252 
1253 void vnc_disconnect_finish(VncState *vs)
1254 {
1255     int i;
1256 
1257     trace_vnc_client_disconnect_finish(vs, vs->ioc);
1258 
1259     vnc_jobs_join(vs); /* Wait encoding jobs */
1260 
1261     vnc_lock_output(vs);
1262     vnc_qmp_event(vs, QAPI_EVENT_VNC_DISCONNECTED);
1263 
1264     buffer_free(&vs->input);
1265     buffer_free(&vs->output);
1266 
1267     qapi_free_VncClientInfo(vs->info);
1268 
1269     vnc_zlib_clear(vs);
1270     vnc_tight_clear(vs);
1271     vnc_zrle_clear(vs);
1272 
1273 #ifdef CONFIG_VNC_SASL
1274     vnc_sasl_client_cleanup(vs);
1275 #endif /* CONFIG_VNC_SASL */
1276     audio_del(vs);
1277     qkbd_state_lift_all_keys(vs->vd->kbd);
1278 
1279     if (vs->mouse_mode_notifier.notify != NULL) {
1280         qemu_remove_mouse_mode_change_notifier(&vs->mouse_mode_notifier);
1281     }
1282     QTAILQ_REMOVE(&vs->vd->clients, vs, next);
1283     if (QTAILQ_EMPTY(&vs->vd->clients)) {
1284         /* last client gone */
1285         vnc_update_server_surface(vs->vd);
1286     }
1287 
1288     vnc_unlock_output(vs);
1289 
1290     qemu_mutex_destroy(&vs->output_mutex);
1291     if (vs->bh != NULL) {
1292         qemu_bh_delete(vs->bh);
1293     }
1294     buffer_free(&vs->jobs_buffer);
1295 
1296     for (i = 0; i < VNC_STAT_ROWS; ++i) {
1297         g_free(vs->lossy_rect[i]);
1298     }
1299     g_free(vs->lossy_rect);
1300 
1301     object_unref(OBJECT(vs->ioc));
1302     vs->ioc = NULL;
1303     object_unref(OBJECT(vs->sioc));
1304     vs->sioc = NULL;
1305     vs->magic = 0;
1306     g_free(vs);
1307 }
1308 
1309 size_t vnc_client_io_error(VncState *vs, ssize_t ret, Error **errp)
1310 {
1311     if (ret <= 0) {
1312         if (ret == 0) {
1313             trace_vnc_client_eof(vs, vs->ioc);
1314             vnc_disconnect_start(vs);
1315         } else if (ret != QIO_CHANNEL_ERR_BLOCK) {
1316             trace_vnc_client_io_error(vs, vs->ioc,
1317                                       errp ? error_get_pretty(*errp) :
1318                                       "Unknown");
1319             vnc_disconnect_start(vs);
1320         }
1321 
1322         if (errp) {
1323             error_free(*errp);
1324             *errp = NULL;
1325         }
1326         return 0;
1327     }
1328     return ret;
1329 }
1330 
1331 
1332 void vnc_client_error(VncState *vs)
1333 {
1334     VNC_DEBUG("Closing down client sock: protocol error\n");
1335     vnc_disconnect_start(vs);
1336 }
1337 
1338 
1339 /*
1340  * Called to write a chunk of data to the client socket. The data may
1341  * be the raw data, or may have already been encoded by SASL.
1342  * The data will be written either straight onto the socket, or
1343  * written via the GNUTLS wrappers, if TLS/SSL encryption is enabled
1344  *
1345  * NB, it is theoretically possible to have 2 layers of encryption,
1346  * both SASL, and this TLS layer. It is highly unlikely in practice
1347  * though, since SASL encryption will typically be a no-op if TLS
1348  * is active
1349  *
1350  * Returns the number of bytes written, which may be less than
1351  * the requested 'datalen' if the socket would block. Returns
1352  * 0 on I/O error, and disconnects the client socket.
1353  */
1354 size_t vnc_client_write_buf(VncState *vs, const uint8_t *data, size_t datalen)
1355 {
1356     Error *err = NULL;
1357     ssize_t ret;
1358     ret = qio_channel_write(
1359         vs->ioc, (const char *)data, datalen, &err);
1360     VNC_DEBUG("Wrote wire %p %zd -> %ld\n", data, datalen, ret);
1361     return vnc_client_io_error(vs, ret, &err);
1362 }
1363 
1364 
1365 /*
1366  * Called to write buffered data to the client socket, when not
1367  * using any SASL SSF encryption layers. Will write as much data
1368  * as possible without blocking. If all buffered data is written,
1369  * will switch the FD poll() handler back to read monitoring.
1370  *
1371  * Returns the number of bytes written, which may be less than
1372  * the buffered output data if the socket would block.  Returns
1373  * 0 on I/O error, and disconnects the client socket.
1374  */
1375 static size_t vnc_client_write_plain(VncState *vs)
1376 {
1377     size_t offset;
1378     size_t ret;
1379 
1380 #ifdef CONFIG_VNC_SASL
1381     VNC_DEBUG("Write Plain: Pending output %p size %zd offset %zd. Wait SSF %d\n",
1382               vs->output.buffer, vs->output.capacity, vs->output.offset,
1383               vs->sasl.waitWriteSSF);
1384 
1385     if (vs->sasl.conn &&
1386         vs->sasl.runSSF &&
1387         vs->sasl.waitWriteSSF) {
1388         ret = vnc_client_write_buf(vs, vs->output.buffer, vs->sasl.waitWriteSSF);
1389         if (ret)
1390             vs->sasl.waitWriteSSF -= ret;
1391     } else
1392 #endif /* CONFIG_VNC_SASL */
1393         ret = vnc_client_write_buf(vs, vs->output.buffer, vs->output.offset);
1394     if (!ret)
1395         return 0;
1396 
1397     if (ret >= vs->force_update_offset) {
1398         if (vs->force_update_offset != 0) {
1399             trace_vnc_client_unthrottle_forced(vs, vs->ioc);
1400         }
1401         vs->force_update_offset = 0;
1402     } else {
1403         vs->force_update_offset -= ret;
1404     }
1405     offset = vs->output.offset;
1406     buffer_advance(&vs->output, ret);
1407     if (offset >= vs->throttle_output_offset &&
1408         vs->output.offset < vs->throttle_output_offset) {
1409         trace_vnc_client_unthrottle_incremental(vs, vs->ioc, vs->output.offset);
1410     }
1411 
1412     if (vs->output.offset == 0) {
1413         if (vs->ioc_tag) {
1414             g_source_remove(vs->ioc_tag);
1415         }
1416         vs->ioc_tag = qio_channel_add_watch(
1417             vs->ioc, G_IO_IN, vnc_client_io, vs, NULL);
1418     }
1419 
1420     return ret;
1421 }
1422 
1423 
1424 /*
1425  * First function called whenever there is data to be written to
1426  * the client socket. Will delegate actual work according to whether
1427  * SASL SSF layers are enabled (thus requiring encryption calls)
1428  */
1429 static void vnc_client_write_locked(VncState *vs)
1430 {
1431 #ifdef CONFIG_VNC_SASL
1432     if (vs->sasl.conn &&
1433         vs->sasl.runSSF &&
1434         !vs->sasl.waitWriteSSF) {
1435         vnc_client_write_sasl(vs);
1436     } else
1437 #endif /* CONFIG_VNC_SASL */
1438     {
1439         vnc_client_write_plain(vs);
1440     }
1441 }
1442 
1443 static void vnc_client_write(VncState *vs)
1444 {
1445     assert(vs->magic == VNC_MAGIC);
1446     vnc_lock_output(vs);
1447     if (vs->output.offset) {
1448         vnc_client_write_locked(vs);
1449     } else if (vs->ioc != NULL) {
1450         if (vs->ioc_tag) {
1451             g_source_remove(vs->ioc_tag);
1452         }
1453         vs->ioc_tag = qio_channel_add_watch(
1454             vs->ioc, G_IO_IN, vnc_client_io, vs, NULL);
1455     }
1456     vnc_unlock_output(vs);
1457 }
1458 
1459 void vnc_read_when(VncState *vs, VncReadEvent *func, size_t expecting)
1460 {
1461     vs->read_handler = func;
1462     vs->read_handler_expect = expecting;
1463 }
1464 
1465 
1466 /*
1467  * Called to read a chunk of data from the client socket. The data may
1468  * be the raw data, or may need to be further decoded by SASL.
1469  * The data will be read either straight from to the socket, or
1470  * read via the GNUTLS wrappers, if TLS/SSL encryption is enabled
1471  *
1472  * NB, it is theoretically possible to have 2 layers of encryption,
1473  * both SASL, and this TLS layer. It is highly unlikely in practice
1474  * though, since SASL encryption will typically be a no-op if TLS
1475  * is active
1476  *
1477  * Returns the number of bytes read, which may be less than
1478  * the requested 'datalen' if the socket would block. Returns
1479  * 0 on I/O error or EOF, and disconnects the client socket.
1480  */
1481 size_t vnc_client_read_buf(VncState *vs, uint8_t *data, size_t datalen)
1482 {
1483     ssize_t ret;
1484     Error *err = NULL;
1485     ret = qio_channel_read(
1486         vs->ioc, (char *)data, datalen, &err);
1487     VNC_DEBUG("Read wire %p %zd -> %ld\n", data, datalen, ret);
1488     return vnc_client_io_error(vs, ret, &err);
1489 }
1490 
1491 
1492 /*
1493  * Called to read data from the client socket to the input buffer,
1494  * when not using any SASL SSF encryption layers. Will read as much
1495  * data as possible without blocking.
1496  *
1497  * Returns the number of bytes read, which may be less than
1498  * the requested 'datalen' if the socket would block. Returns
1499  * 0 on I/O error or EOF, and disconnects the client socket.
1500  */
1501 static size_t vnc_client_read_plain(VncState *vs)
1502 {
1503     size_t ret;
1504     VNC_DEBUG("Read plain %p size %zd offset %zd\n",
1505               vs->input.buffer, vs->input.capacity, vs->input.offset);
1506     buffer_reserve(&vs->input, 4096);
1507     ret = vnc_client_read_buf(vs, buffer_end(&vs->input), 4096);
1508     if (!ret)
1509         return 0;
1510     vs->input.offset += ret;
1511     return ret;
1512 }
1513 
1514 static void vnc_jobs_bh(void *opaque)
1515 {
1516     VncState *vs = opaque;
1517 
1518     assert(vs->magic == VNC_MAGIC);
1519     vnc_jobs_consume_buffer(vs);
1520 }
1521 
1522 /*
1523  * First function called whenever there is more data to be read from
1524  * the client socket. Will delegate actual work according to whether
1525  * SASL SSF layers are enabled (thus requiring decryption calls)
1526  * Returns 0 on success, -1 if client disconnected
1527  */
1528 static int vnc_client_read(VncState *vs)
1529 {
1530     size_t ret;
1531 
1532 #ifdef CONFIG_VNC_SASL
1533     if (vs->sasl.conn && vs->sasl.runSSF)
1534         ret = vnc_client_read_sasl(vs);
1535     else
1536 #endif /* CONFIG_VNC_SASL */
1537         ret = vnc_client_read_plain(vs);
1538     if (!ret) {
1539         if (vs->disconnecting) {
1540             vnc_disconnect_finish(vs);
1541             return -1;
1542         }
1543         return 0;
1544     }
1545 
1546     while (vs->read_handler && vs->input.offset >= vs->read_handler_expect) {
1547         size_t len = vs->read_handler_expect;
1548         int ret;
1549 
1550         ret = vs->read_handler(vs, vs->input.buffer, len);
1551         if (vs->disconnecting) {
1552             vnc_disconnect_finish(vs);
1553             return -1;
1554         }
1555 
1556         if (!ret) {
1557             buffer_advance(&vs->input, len);
1558         } else {
1559             vs->read_handler_expect = ret;
1560         }
1561     }
1562     return 0;
1563 }
1564 
1565 gboolean vnc_client_io(QIOChannel *ioc G_GNUC_UNUSED,
1566                        GIOCondition condition, void *opaque)
1567 {
1568     VncState *vs = opaque;
1569 
1570     assert(vs->magic == VNC_MAGIC);
1571     if (condition & G_IO_IN) {
1572         if (vnc_client_read(vs) < 0) {
1573             /* vs is free()ed here */
1574             return TRUE;
1575         }
1576     }
1577     if (condition & G_IO_OUT) {
1578         vnc_client_write(vs);
1579     }
1580 
1581     if (vs->disconnecting) {
1582         if (vs->ioc_tag != 0) {
1583             g_source_remove(vs->ioc_tag);
1584         }
1585         vs->ioc_tag = 0;
1586     }
1587     return TRUE;
1588 }
1589 
1590 
1591 /*
1592  * Scale factor to apply to vs->throttle_output_offset when checking for
1593  * hard limit. Worst case normal usage could be x2, if we have a complete
1594  * incremental update and complete forced update in the output buffer.
1595  * So x3 should be good enough, but we pick x5 to be conservative and thus
1596  * (hopefully) never trigger incorrectly.
1597  */
1598 #define VNC_THROTTLE_OUTPUT_LIMIT_SCALE 5
1599 
1600 void vnc_write(VncState *vs, const void *data, size_t len)
1601 {
1602     assert(vs->magic == VNC_MAGIC);
1603     if (vs->disconnecting) {
1604         return;
1605     }
1606     /* Protection against malicious client/guest to prevent our output
1607      * buffer growing without bound if client stops reading data. This
1608      * should rarely trigger, because we have earlier throttling code
1609      * which stops issuing framebuffer updates and drops audio data
1610      * if the throttle_output_offset value is exceeded. So we only reach
1611      * this higher level if a huge number of pseudo-encodings get
1612      * triggered while data can't be sent on the socket.
1613      *
1614      * NB throttle_output_offset can be zero during early protocol
1615      * handshake, or from the job thread's VncState clone
1616      */
1617     if (vs->throttle_output_offset != 0 &&
1618         (vs->output.offset / VNC_THROTTLE_OUTPUT_LIMIT_SCALE) >
1619         vs->throttle_output_offset) {
1620         trace_vnc_client_output_limit(vs, vs->ioc, vs->output.offset,
1621                                       vs->throttle_output_offset);
1622         vnc_disconnect_start(vs);
1623         return;
1624     }
1625     buffer_reserve(&vs->output, len);
1626 
1627     if (vs->ioc != NULL && buffer_empty(&vs->output)) {
1628         if (vs->ioc_tag) {
1629             g_source_remove(vs->ioc_tag);
1630         }
1631         vs->ioc_tag = qio_channel_add_watch(
1632             vs->ioc, G_IO_IN | G_IO_OUT, vnc_client_io, vs, NULL);
1633     }
1634 
1635     buffer_append(&vs->output, data, len);
1636 }
1637 
1638 void vnc_write_s32(VncState *vs, int32_t value)
1639 {
1640     vnc_write_u32(vs, *(uint32_t *)&value);
1641 }
1642 
1643 void vnc_write_u32(VncState *vs, uint32_t value)
1644 {
1645     uint8_t buf[4];
1646 
1647     buf[0] = (value >> 24) & 0xFF;
1648     buf[1] = (value >> 16) & 0xFF;
1649     buf[2] = (value >>  8) & 0xFF;
1650     buf[3] = value & 0xFF;
1651 
1652     vnc_write(vs, buf, 4);
1653 }
1654 
1655 void vnc_write_u16(VncState *vs, uint16_t value)
1656 {
1657     uint8_t buf[2];
1658 
1659     buf[0] = (value >> 8) & 0xFF;
1660     buf[1] = value & 0xFF;
1661 
1662     vnc_write(vs, buf, 2);
1663 }
1664 
1665 void vnc_write_u8(VncState *vs, uint8_t value)
1666 {
1667     vnc_write(vs, (char *)&value, 1);
1668 }
1669 
1670 void vnc_flush(VncState *vs)
1671 {
1672     vnc_lock_output(vs);
1673     if (vs->ioc != NULL && vs->output.offset) {
1674         vnc_client_write_locked(vs);
1675     }
1676     if (vs->disconnecting) {
1677         if (vs->ioc_tag != 0) {
1678             g_source_remove(vs->ioc_tag);
1679         }
1680         vs->ioc_tag = 0;
1681     }
1682     vnc_unlock_output(vs);
1683 }
1684 
1685 static uint8_t read_u8(uint8_t *data, size_t offset)
1686 {
1687     return data[offset];
1688 }
1689 
1690 static uint16_t read_u16(uint8_t *data, size_t offset)
1691 {
1692     return ((data[offset] & 0xFF) << 8) | (data[offset + 1] & 0xFF);
1693 }
1694 
1695 static int32_t read_s32(uint8_t *data, size_t offset)
1696 {
1697     return (int32_t)((data[offset] << 24) | (data[offset + 1] << 16) |
1698                      (data[offset + 2] << 8) | data[offset + 3]);
1699 }
1700 
1701 uint32_t read_u32(uint8_t *data, size_t offset)
1702 {
1703     return ((data[offset] << 24) | (data[offset + 1] << 16) |
1704             (data[offset + 2] << 8) | data[offset + 3]);
1705 }
1706 
1707 static void client_cut_text(VncState *vs, size_t len, uint8_t *text)
1708 {
1709 }
1710 
1711 static void check_pointer_type_change(Notifier *notifier, void *data)
1712 {
1713     VncState *vs = container_of(notifier, VncState, mouse_mode_notifier);
1714     int absolute = qemu_input_is_absolute();
1715 
1716     if (vnc_has_feature(vs, VNC_FEATURE_POINTER_TYPE_CHANGE) && vs->absolute != absolute) {
1717         vnc_lock_output(vs);
1718         vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1719         vnc_write_u8(vs, 0);
1720         vnc_write_u16(vs, 1);
1721         vnc_framebuffer_update(vs, absolute, 0,
1722                                pixman_image_get_width(vs->vd->server),
1723                                pixman_image_get_height(vs->vd->server),
1724                                VNC_ENCODING_POINTER_TYPE_CHANGE);
1725         vnc_unlock_output(vs);
1726         vnc_flush(vs);
1727     }
1728     vs->absolute = absolute;
1729 }
1730 
1731 static void pointer_event(VncState *vs, int button_mask, int x, int y)
1732 {
1733     static uint32_t bmap[INPUT_BUTTON__MAX] = {
1734         [INPUT_BUTTON_LEFT]       = 0x01,
1735         [INPUT_BUTTON_MIDDLE]     = 0x02,
1736         [INPUT_BUTTON_RIGHT]      = 0x04,
1737         [INPUT_BUTTON_WHEEL_UP]   = 0x08,
1738         [INPUT_BUTTON_WHEEL_DOWN] = 0x10,
1739     };
1740     QemuConsole *con = vs->vd->dcl.con;
1741     int width = pixman_image_get_width(vs->vd->server);
1742     int height = pixman_image_get_height(vs->vd->server);
1743 
1744     if (vs->last_bmask != button_mask) {
1745         qemu_input_update_buttons(con, bmap, vs->last_bmask, button_mask);
1746         vs->last_bmask = button_mask;
1747     }
1748 
1749     if (vs->absolute) {
1750         qemu_input_queue_abs(con, INPUT_AXIS_X, x, 0, width);
1751         qemu_input_queue_abs(con, INPUT_AXIS_Y, y, 0, height);
1752     } else if (vnc_has_feature(vs, VNC_FEATURE_POINTER_TYPE_CHANGE)) {
1753         qemu_input_queue_rel(con, INPUT_AXIS_X, x - 0x7FFF);
1754         qemu_input_queue_rel(con, INPUT_AXIS_Y, y - 0x7FFF);
1755     } else {
1756         if (vs->last_x != -1) {
1757             qemu_input_queue_rel(con, INPUT_AXIS_X, x - vs->last_x);
1758             qemu_input_queue_rel(con, INPUT_AXIS_Y, y - vs->last_y);
1759         }
1760         vs->last_x = x;
1761         vs->last_y = y;
1762     }
1763     qemu_input_event_sync();
1764 }
1765 
1766 static void press_key(VncState *vs, QKeyCode qcode)
1767 {
1768     qkbd_state_key_event(vs->vd->kbd, qcode, true);
1769     qkbd_state_key_event(vs->vd->kbd, qcode, false);
1770 }
1771 
1772 static void vnc_led_state_change(VncState *vs)
1773 {
1774     if (!vnc_has_feature(vs, VNC_FEATURE_LED_STATE)) {
1775         return;
1776     }
1777 
1778     vnc_lock_output(vs);
1779     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1780     vnc_write_u8(vs, 0);
1781     vnc_write_u16(vs, 1);
1782     vnc_framebuffer_update(vs, 0, 0, 1, 1, VNC_ENCODING_LED_STATE);
1783     vnc_write_u8(vs, vs->vd->ledstate);
1784     vnc_unlock_output(vs);
1785     vnc_flush(vs);
1786 }
1787 
1788 static void kbd_leds(void *opaque, int ledstate)
1789 {
1790     VncDisplay *vd = opaque;
1791     VncState *client;
1792 
1793     trace_vnc_key_guest_leds((ledstate & QEMU_CAPS_LOCK_LED),
1794                              (ledstate & QEMU_NUM_LOCK_LED),
1795                              (ledstate & QEMU_SCROLL_LOCK_LED));
1796 
1797     if (ledstate == vd->ledstate) {
1798         return;
1799     }
1800 
1801     vd->ledstate = ledstate;
1802 
1803     QTAILQ_FOREACH(client, &vd->clients, next) {
1804         vnc_led_state_change(client);
1805     }
1806 }
1807 
1808 static void do_key_event(VncState *vs, int down, int keycode, int sym)
1809 {
1810     QKeyCode qcode = qemu_input_key_number_to_qcode(keycode);
1811 
1812     /* QEMU console switch */
1813     switch (qcode) {
1814     case Q_KEY_CODE_1 ... Q_KEY_CODE_9: /* '1' to '9' keys */
1815         if (vs->vd->dcl.con == NULL && down &&
1816             qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_CTRL) &&
1817             qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_ALT)) {
1818             /* Reset the modifiers sent to the current console */
1819             qkbd_state_lift_all_keys(vs->vd->kbd);
1820             console_select(qcode - Q_KEY_CODE_1);
1821             return;
1822         }
1823     default:
1824         break;
1825     }
1826 
1827     /* Turn off the lock state sync logic if the client support the led
1828        state extension.
1829     */
1830     if (down && vs->vd->lock_key_sync &&
1831         !vnc_has_feature(vs, VNC_FEATURE_LED_STATE) &&
1832         keycode_is_keypad(vs->vd->kbd_layout, keycode)) {
1833         /* If the numlock state needs to change then simulate an additional
1834            keypress before sending this one.  This will happen if the user
1835            toggles numlock away from the VNC window.
1836         */
1837         if (keysym_is_numlock(vs->vd->kbd_layout, sym & 0xFFFF)) {
1838             if (!qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_NUMLOCK)) {
1839                 trace_vnc_key_sync_numlock(true);
1840                 press_key(vs, Q_KEY_CODE_NUM_LOCK);
1841             }
1842         } else {
1843             if (qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_NUMLOCK)) {
1844                 trace_vnc_key_sync_numlock(false);
1845                 press_key(vs, Q_KEY_CODE_NUM_LOCK);
1846             }
1847         }
1848     }
1849 
1850     if (down && vs->vd->lock_key_sync &&
1851         !vnc_has_feature(vs, VNC_FEATURE_LED_STATE) &&
1852         ((sym >= 'A' && sym <= 'Z') || (sym >= 'a' && sym <= 'z'))) {
1853         /* If the capslock state needs to change then simulate an additional
1854            keypress before sending this one.  This will happen if the user
1855            toggles capslock away from the VNC window.
1856         */
1857         int uppercase = !!(sym >= 'A' && sym <= 'Z');
1858         bool shift = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_SHIFT);
1859         bool capslock = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_CAPSLOCK);
1860         if (capslock) {
1861             if (uppercase == shift) {
1862                 trace_vnc_key_sync_capslock(false);
1863                 press_key(vs, Q_KEY_CODE_CAPS_LOCK);
1864             }
1865         } else {
1866             if (uppercase != shift) {
1867                 trace_vnc_key_sync_capslock(true);
1868                 press_key(vs, Q_KEY_CODE_CAPS_LOCK);
1869             }
1870         }
1871     }
1872 
1873     qkbd_state_key_event(vs->vd->kbd, qcode, down);
1874     if (!qemu_console_is_graphic(NULL)) {
1875         bool numlock = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_NUMLOCK);
1876         bool control = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_CTRL);
1877         /* QEMU console emulation */
1878         if (down) {
1879             switch (keycode) {
1880             case 0x2a:                          /* Left Shift */
1881             case 0x36:                          /* Right Shift */
1882             case 0x1d:                          /* Left CTRL */
1883             case 0x9d:                          /* Right CTRL */
1884             case 0x38:                          /* Left ALT */
1885             case 0xb8:                          /* Right ALT */
1886                 break;
1887             case 0xc8:
1888                 kbd_put_keysym(QEMU_KEY_UP);
1889                 break;
1890             case 0xd0:
1891                 kbd_put_keysym(QEMU_KEY_DOWN);
1892                 break;
1893             case 0xcb:
1894                 kbd_put_keysym(QEMU_KEY_LEFT);
1895                 break;
1896             case 0xcd:
1897                 kbd_put_keysym(QEMU_KEY_RIGHT);
1898                 break;
1899             case 0xd3:
1900                 kbd_put_keysym(QEMU_KEY_DELETE);
1901                 break;
1902             case 0xc7:
1903                 kbd_put_keysym(QEMU_KEY_HOME);
1904                 break;
1905             case 0xcf:
1906                 kbd_put_keysym(QEMU_KEY_END);
1907                 break;
1908             case 0xc9:
1909                 kbd_put_keysym(QEMU_KEY_PAGEUP);
1910                 break;
1911             case 0xd1:
1912                 kbd_put_keysym(QEMU_KEY_PAGEDOWN);
1913                 break;
1914 
1915             case 0x47:
1916                 kbd_put_keysym(numlock ? '7' : QEMU_KEY_HOME);
1917                 break;
1918             case 0x48:
1919                 kbd_put_keysym(numlock ? '8' : QEMU_KEY_UP);
1920                 break;
1921             case 0x49:
1922                 kbd_put_keysym(numlock ? '9' : QEMU_KEY_PAGEUP);
1923                 break;
1924             case 0x4b:
1925                 kbd_put_keysym(numlock ? '4' : QEMU_KEY_LEFT);
1926                 break;
1927             case 0x4c:
1928                 kbd_put_keysym('5');
1929                 break;
1930             case 0x4d:
1931                 kbd_put_keysym(numlock ? '6' : QEMU_KEY_RIGHT);
1932                 break;
1933             case 0x4f:
1934                 kbd_put_keysym(numlock ? '1' : QEMU_KEY_END);
1935                 break;
1936             case 0x50:
1937                 kbd_put_keysym(numlock ? '2' : QEMU_KEY_DOWN);
1938                 break;
1939             case 0x51:
1940                 kbd_put_keysym(numlock ? '3' : QEMU_KEY_PAGEDOWN);
1941                 break;
1942             case 0x52:
1943                 kbd_put_keysym('0');
1944                 break;
1945             case 0x53:
1946                 kbd_put_keysym(numlock ? '.' : QEMU_KEY_DELETE);
1947                 break;
1948 
1949             case 0xb5:
1950                 kbd_put_keysym('/');
1951                 break;
1952             case 0x37:
1953                 kbd_put_keysym('*');
1954                 break;
1955             case 0x4a:
1956                 kbd_put_keysym('-');
1957                 break;
1958             case 0x4e:
1959                 kbd_put_keysym('+');
1960                 break;
1961             case 0x9c:
1962                 kbd_put_keysym('\n');
1963                 break;
1964 
1965             default:
1966                 if (control) {
1967                     kbd_put_keysym(sym & 0x1f);
1968                 } else {
1969                     kbd_put_keysym(sym);
1970                 }
1971                 break;
1972             }
1973         }
1974     }
1975 }
1976 
1977 static const char *code2name(int keycode)
1978 {
1979     return QKeyCode_str(qemu_input_key_number_to_qcode(keycode));
1980 }
1981 
1982 static void key_event(VncState *vs, int down, uint32_t sym)
1983 {
1984     int keycode;
1985     int lsym = sym;
1986 
1987     if (lsym >= 'A' && lsym <= 'Z' && qemu_console_is_graphic(NULL)) {
1988         lsym = lsym - 'A' + 'a';
1989     }
1990 
1991     keycode = keysym2scancode(vs->vd->kbd_layout, lsym & 0xFFFF,
1992                               vs->vd->kbd, down) & SCANCODE_KEYMASK;
1993     trace_vnc_key_event_map(down, sym, keycode, code2name(keycode));
1994     do_key_event(vs, down, keycode, sym);
1995 }
1996 
1997 static void ext_key_event(VncState *vs, int down,
1998                           uint32_t sym, uint16_t keycode)
1999 {
2000     /* if the user specifies a keyboard layout, always use it */
2001     if (keyboard_layout) {
2002         key_event(vs, down, sym);
2003     } else {
2004         trace_vnc_key_event_ext(down, sym, keycode, code2name(keycode));
2005         do_key_event(vs, down, keycode, sym);
2006     }
2007 }
2008 
2009 static void framebuffer_update_request(VncState *vs, int incremental,
2010                                        int x, int y, int w, int h)
2011 {
2012     if (incremental) {
2013         if (vs->update != VNC_STATE_UPDATE_FORCE) {
2014             vs->update = VNC_STATE_UPDATE_INCREMENTAL;
2015         }
2016     } else {
2017         vs->update = VNC_STATE_UPDATE_FORCE;
2018         vnc_set_area_dirty(vs->dirty, vs->vd, x, y, w, h);
2019     }
2020 }
2021 
2022 static void send_ext_key_event_ack(VncState *vs)
2023 {
2024     vnc_lock_output(vs);
2025     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
2026     vnc_write_u8(vs, 0);
2027     vnc_write_u16(vs, 1);
2028     vnc_framebuffer_update(vs, 0, 0,
2029                            pixman_image_get_width(vs->vd->server),
2030                            pixman_image_get_height(vs->vd->server),
2031                            VNC_ENCODING_EXT_KEY_EVENT);
2032     vnc_unlock_output(vs);
2033     vnc_flush(vs);
2034 }
2035 
2036 static void send_ext_audio_ack(VncState *vs)
2037 {
2038     vnc_lock_output(vs);
2039     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
2040     vnc_write_u8(vs, 0);
2041     vnc_write_u16(vs, 1);
2042     vnc_framebuffer_update(vs, 0, 0,
2043                            pixman_image_get_width(vs->vd->server),
2044                            pixman_image_get_height(vs->vd->server),
2045                            VNC_ENCODING_AUDIO);
2046     vnc_unlock_output(vs);
2047     vnc_flush(vs);
2048 }
2049 
2050 static void set_encodings(VncState *vs, int32_t *encodings, size_t n_encodings)
2051 {
2052     int i;
2053     unsigned int enc = 0;
2054 
2055     vs->features = 0;
2056     vs->vnc_encoding = 0;
2057     vs->tight.compression = 9;
2058     vs->tight.quality = -1; /* Lossless by default */
2059     vs->absolute = -1;
2060 
2061     /*
2062      * Start from the end because the encodings are sent in order of preference.
2063      * This way the preferred encoding (first encoding defined in the array)
2064      * will be set at the end of the loop.
2065      */
2066     for (i = n_encodings - 1; i >= 0; i--) {
2067         enc = encodings[i];
2068         switch (enc) {
2069         case VNC_ENCODING_RAW:
2070             vs->vnc_encoding = enc;
2071             break;
2072         case VNC_ENCODING_COPYRECT:
2073             vs->features |= VNC_FEATURE_COPYRECT_MASK;
2074             break;
2075         case VNC_ENCODING_HEXTILE:
2076             vs->features |= VNC_FEATURE_HEXTILE_MASK;
2077             vs->vnc_encoding = enc;
2078             break;
2079         case VNC_ENCODING_TIGHT:
2080             vs->features |= VNC_FEATURE_TIGHT_MASK;
2081             vs->vnc_encoding = enc;
2082             break;
2083 #ifdef CONFIG_VNC_PNG
2084         case VNC_ENCODING_TIGHT_PNG:
2085             vs->features |= VNC_FEATURE_TIGHT_PNG_MASK;
2086             vs->vnc_encoding = enc;
2087             break;
2088 #endif
2089         case VNC_ENCODING_ZLIB:
2090             vs->features |= VNC_FEATURE_ZLIB_MASK;
2091             vs->vnc_encoding = enc;
2092             break;
2093         case VNC_ENCODING_ZRLE:
2094             vs->features |= VNC_FEATURE_ZRLE_MASK;
2095             vs->vnc_encoding = enc;
2096             break;
2097         case VNC_ENCODING_ZYWRLE:
2098             vs->features |= VNC_FEATURE_ZYWRLE_MASK;
2099             vs->vnc_encoding = enc;
2100             break;
2101         case VNC_ENCODING_DESKTOPRESIZE:
2102             vs->features |= VNC_FEATURE_RESIZE_MASK;
2103             break;
2104         case VNC_ENCODING_POINTER_TYPE_CHANGE:
2105             vs->features |= VNC_FEATURE_POINTER_TYPE_CHANGE_MASK;
2106             break;
2107         case VNC_ENCODING_RICH_CURSOR:
2108             vs->features |= VNC_FEATURE_RICH_CURSOR_MASK;
2109             if (vs->vd->cursor) {
2110                 vnc_cursor_define(vs);
2111             }
2112             break;
2113         case VNC_ENCODING_EXT_KEY_EVENT:
2114             send_ext_key_event_ack(vs);
2115             break;
2116         case VNC_ENCODING_AUDIO:
2117             send_ext_audio_ack(vs);
2118             break;
2119         case VNC_ENCODING_WMVi:
2120             vs->features |= VNC_FEATURE_WMVI_MASK;
2121             break;
2122         case VNC_ENCODING_LED_STATE:
2123             vs->features |= VNC_FEATURE_LED_STATE_MASK;
2124             break;
2125         case VNC_ENCODING_COMPRESSLEVEL0 ... VNC_ENCODING_COMPRESSLEVEL0 + 9:
2126             vs->tight.compression = (enc & 0x0F);
2127             break;
2128         case VNC_ENCODING_QUALITYLEVEL0 ... VNC_ENCODING_QUALITYLEVEL0 + 9:
2129             if (vs->vd->lossy) {
2130                 vs->tight.quality = (enc & 0x0F);
2131             }
2132             break;
2133         default:
2134             VNC_DEBUG("Unknown encoding: %d (0x%.8x): %d\n", i, enc, enc);
2135             break;
2136         }
2137     }
2138     vnc_desktop_resize(vs);
2139     check_pointer_type_change(&vs->mouse_mode_notifier, NULL);
2140     vnc_led_state_change(vs);
2141 }
2142 
2143 static void set_pixel_conversion(VncState *vs)
2144 {
2145     pixman_format_code_t fmt = qemu_pixman_get_format(&vs->client_pf);
2146 
2147     if (fmt == VNC_SERVER_FB_FORMAT) {
2148         vs->write_pixels = vnc_write_pixels_copy;
2149         vnc_hextile_set_pixel_conversion(vs, 0);
2150     } else {
2151         vs->write_pixels = vnc_write_pixels_generic;
2152         vnc_hextile_set_pixel_conversion(vs, 1);
2153     }
2154 }
2155 
2156 static void send_color_map(VncState *vs)
2157 {
2158     int i;
2159 
2160     vnc_write_u8(vs, VNC_MSG_SERVER_SET_COLOUR_MAP_ENTRIES);
2161     vnc_write_u8(vs,  0);    /* padding     */
2162     vnc_write_u16(vs, 0);    /* first color */
2163     vnc_write_u16(vs, 256);  /* # of colors */
2164 
2165     for (i = 0; i < 256; i++) {
2166         PixelFormat *pf = &vs->client_pf;
2167 
2168         vnc_write_u16(vs, (((i >> pf->rshift) & pf->rmax) << (16 - pf->rbits)));
2169         vnc_write_u16(vs, (((i >> pf->gshift) & pf->gmax) << (16 - pf->gbits)));
2170         vnc_write_u16(vs, (((i >> pf->bshift) & pf->bmax) << (16 - pf->bbits)));
2171     }
2172 }
2173 
2174 static void set_pixel_format(VncState *vs, int bits_per_pixel,
2175                              int big_endian_flag, int true_color_flag,
2176                              int red_max, int green_max, int blue_max,
2177                              int red_shift, int green_shift, int blue_shift)
2178 {
2179     if (!true_color_flag) {
2180         /* Expose a reasonable default 256 color map */
2181         bits_per_pixel = 8;
2182         red_max = 7;
2183         green_max = 7;
2184         blue_max = 3;
2185         red_shift = 0;
2186         green_shift = 3;
2187         blue_shift = 6;
2188     }
2189 
2190     switch (bits_per_pixel) {
2191     case 8:
2192     case 16:
2193     case 32:
2194         break;
2195     default:
2196         vnc_client_error(vs);
2197         return;
2198     }
2199 
2200     vs->client_pf.rmax = red_max ? red_max : 0xFF;
2201     vs->client_pf.rbits = ctpopl(red_max);
2202     vs->client_pf.rshift = red_shift;
2203     vs->client_pf.rmask = red_max << red_shift;
2204     vs->client_pf.gmax = green_max ? green_max : 0xFF;
2205     vs->client_pf.gbits = ctpopl(green_max);
2206     vs->client_pf.gshift = green_shift;
2207     vs->client_pf.gmask = green_max << green_shift;
2208     vs->client_pf.bmax = blue_max ? blue_max : 0xFF;
2209     vs->client_pf.bbits = ctpopl(blue_max);
2210     vs->client_pf.bshift = blue_shift;
2211     vs->client_pf.bmask = blue_max << blue_shift;
2212     vs->client_pf.bits_per_pixel = bits_per_pixel;
2213     vs->client_pf.bytes_per_pixel = bits_per_pixel / 8;
2214     vs->client_pf.depth = bits_per_pixel == 32 ? 24 : bits_per_pixel;
2215     vs->client_be = big_endian_flag;
2216 
2217     if (!true_color_flag) {
2218         send_color_map(vs);
2219     }
2220 
2221     set_pixel_conversion(vs);
2222 
2223     graphic_hw_invalidate(vs->vd->dcl.con);
2224     graphic_hw_update(vs->vd->dcl.con);
2225 }
2226 
2227 static void pixel_format_message (VncState *vs) {
2228     char pad[3] = { 0, 0, 0 };
2229 
2230     vs->client_pf = qemu_default_pixelformat(32);
2231 
2232     vnc_write_u8(vs, vs->client_pf.bits_per_pixel); /* bits-per-pixel */
2233     vnc_write_u8(vs, vs->client_pf.depth); /* depth */
2234 
2235 #ifdef HOST_WORDS_BIGENDIAN
2236     vnc_write_u8(vs, 1);             /* big-endian-flag */
2237 #else
2238     vnc_write_u8(vs, 0);             /* big-endian-flag */
2239 #endif
2240     vnc_write_u8(vs, 1);             /* true-color-flag */
2241     vnc_write_u16(vs, vs->client_pf.rmax);     /* red-max */
2242     vnc_write_u16(vs, vs->client_pf.gmax);     /* green-max */
2243     vnc_write_u16(vs, vs->client_pf.bmax);     /* blue-max */
2244     vnc_write_u8(vs, vs->client_pf.rshift);    /* red-shift */
2245     vnc_write_u8(vs, vs->client_pf.gshift);    /* green-shift */
2246     vnc_write_u8(vs, vs->client_pf.bshift);    /* blue-shift */
2247     vnc_write(vs, pad, 3);           /* padding */
2248 
2249     vnc_hextile_set_pixel_conversion(vs, 0);
2250     vs->write_pixels = vnc_write_pixels_copy;
2251 }
2252 
2253 static void vnc_colordepth(VncState *vs)
2254 {
2255     if (vnc_has_feature(vs, VNC_FEATURE_WMVI)) {
2256         /* Sending a WMVi message to notify the client*/
2257         vnc_lock_output(vs);
2258         vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
2259         vnc_write_u8(vs, 0);
2260         vnc_write_u16(vs, 1); /* number of rects */
2261         vnc_framebuffer_update(vs, 0, 0,
2262                                pixman_image_get_width(vs->vd->server),
2263                                pixman_image_get_height(vs->vd->server),
2264                                VNC_ENCODING_WMVi);
2265         pixel_format_message(vs);
2266         vnc_unlock_output(vs);
2267         vnc_flush(vs);
2268     } else {
2269         set_pixel_conversion(vs);
2270     }
2271 }
2272 
2273 static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len)
2274 {
2275     int i;
2276     uint16_t limit;
2277     uint32_t freq;
2278     VncDisplay *vd = vs->vd;
2279 
2280     if (data[0] > 3) {
2281         update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
2282     }
2283 
2284     switch (data[0]) {
2285     case VNC_MSG_CLIENT_SET_PIXEL_FORMAT:
2286         if (len == 1)
2287             return 20;
2288 
2289         set_pixel_format(vs, read_u8(data, 4),
2290                          read_u8(data, 6), read_u8(data, 7),
2291                          read_u16(data, 8), read_u16(data, 10),
2292                          read_u16(data, 12), read_u8(data, 14),
2293                          read_u8(data, 15), read_u8(data, 16));
2294         break;
2295     case VNC_MSG_CLIENT_SET_ENCODINGS:
2296         if (len == 1)
2297             return 4;
2298 
2299         if (len == 4) {
2300             limit = read_u16(data, 2);
2301             if (limit > 0)
2302                 return 4 + (limit * 4);
2303         } else
2304             limit = read_u16(data, 2);
2305 
2306         for (i = 0; i < limit; i++) {
2307             int32_t val = read_s32(data, 4 + (i * 4));
2308             memcpy(data + 4 + (i * 4), &val, sizeof(val));
2309         }
2310 
2311         set_encodings(vs, (int32_t *)(data + 4), limit);
2312         break;
2313     case VNC_MSG_CLIENT_FRAMEBUFFER_UPDATE_REQUEST:
2314         if (len == 1)
2315             return 10;
2316 
2317         framebuffer_update_request(vs,
2318                                    read_u8(data, 1), read_u16(data, 2), read_u16(data, 4),
2319                                    read_u16(data, 6), read_u16(data, 8));
2320         break;
2321     case VNC_MSG_CLIENT_KEY_EVENT:
2322         if (len == 1)
2323             return 8;
2324 
2325         key_event(vs, read_u8(data, 1), read_u32(data, 4));
2326         break;
2327     case VNC_MSG_CLIENT_POINTER_EVENT:
2328         if (len == 1)
2329             return 6;
2330 
2331         pointer_event(vs, read_u8(data, 1), read_u16(data, 2), read_u16(data, 4));
2332         break;
2333     case VNC_MSG_CLIENT_CUT_TEXT:
2334         if (len == 1) {
2335             return 8;
2336         }
2337         if (len == 8) {
2338             uint32_t dlen = read_u32(data, 4);
2339             if (dlen > (1 << 20)) {
2340                 error_report("vnc: client_cut_text msg payload has %u bytes"
2341                              " which exceeds our limit of 1MB.", dlen);
2342                 vnc_client_error(vs);
2343                 break;
2344             }
2345             if (dlen > 0) {
2346                 return 8 + dlen;
2347             }
2348         }
2349 
2350         client_cut_text(vs, read_u32(data, 4), data + 8);
2351         break;
2352     case VNC_MSG_CLIENT_QEMU:
2353         if (len == 1)
2354             return 2;
2355 
2356         switch (read_u8(data, 1)) {
2357         case VNC_MSG_CLIENT_QEMU_EXT_KEY_EVENT:
2358             if (len == 2)
2359                 return 12;
2360 
2361             ext_key_event(vs, read_u16(data, 2),
2362                           read_u32(data, 4), read_u32(data, 8));
2363             break;
2364         case VNC_MSG_CLIENT_QEMU_AUDIO:
2365             if (len == 2)
2366                 return 4;
2367 
2368             switch (read_u16 (data, 2)) {
2369             case VNC_MSG_CLIENT_QEMU_AUDIO_ENABLE:
2370                 audio_add(vs);
2371                 break;
2372             case VNC_MSG_CLIENT_QEMU_AUDIO_DISABLE:
2373                 audio_del(vs);
2374                 break;
2375             case VNC_MSG_CLIENT_QEMU_AUDIO_SET_FORMAT:
2376                 if (len == 4)
2377                     return 10;
2378                 switch (read_u8(data, 4)) {
2379                 case 0: vs->as.fmt = AUDIO_FORMAT_U8; break;
2380                 case 1: vs->as.fmt = AUDIO_FORMAT_S8; break;
2381                 case 2: vs->as.fmt = AUDIO_FORMAT_U16; break;
2382                 case 3: vs->as.fmt = AUDIO_FORMAT_S16; break;
2383                 case 4: vs->as.fmt = AUDIO_FORMAT_U32; break;
2384                 case 5: vs->as.fmt = AUDIO_FORMAT_S32; break;
2385                 default:
2386                     VNC_DEBUG("Invalid audio format %d\n", read_u8(data, 4));
2387                     vnc_client_error(vs);
2388                     break;
2389                 }
2390                 vs->as.nchannels = read_u8(data, 5);
2391                 if (vs->as.nchannels != 1 && vs->as.nchannels != 2) {
2392                     VNC_DEBUG("Invalid audio channel count %d\n",
2393                               read_u8(data, 5));
2394                     vnc_client_error(vs);
2395                     break;
2396                 }
2397                 freq = read_u32(data, 6);
2398                 /* No official limit for protocol, but 48khz is a sensible
2399                  * upper bound for trustworthy clients, and this limit
2400                  * protects calculations involving 'vs->as.freq' later.
2401                  */
2402                 if (freq > 48000) {
2403                     VNC_DEBUG("Invalid audio frequency %u > 48000", freq);
2404                     vnc_client_error(vs);
2405                     break;
2406                 }
2407                 vs->as.freq = freq;
2408                 break;
2409             default:
2410                 VNC_DEBUG("Invalid audio message %d\n", read_u8(data, 4));
2411                 vnc_client_error(vs);
2412                 break;
2413             }
2414             break;
2415 
2416         default:
2417             VNC_DEBUG("Msg: %d\n", read_u16(data, 0));
2418             vnc_client_error(vs);
2419             break;
2420         }
2421         break;
2422     default:
2423         VNC_DEBUG("Msg: %d\n", data[0]);
2424         vnc_client_error(vs);
2425         break;
2426     }
2427 
2428     vnc_update_throttle_offset(vs);
2429     vnc_read_when(vs, protocol_client_msg, 1);
2430     return 0;
2431 }
2432 
2433 static int protocol_client_init(VncState *vs, uint8_t *data, size_t len)
2434 {
2435     char buf[1024];
2436     VncShareMode mode;
2437     int size;
2438 
2439     mode = data[0] ? VNC_SHARE_MODE_SHARED : VNC_SHARE_MODE_EXCLUSIVE;
2440     switch (vs->vd->share_policy) {
2441     case VNC_SHARE_POLICY_IGNORE:
2442         /*
2443          * Ignore the shared flag.  Nothing to do here.
2444          *
2445          * Doesn't conform to the rfb spec but is traditional qemu
2446          * behavior, thus left here as option for compatibility
2447          * reasons.
2448          */
2449         break;
2450     case VNC_SHARE_POLICY_ALLOW_EXCLUSIVE:
2451         /*
2452          * Policy: Allow clients ask for exclusive access.
2453          *
2454          * Implementation: When a client asks for exclusive access,
2455          * disconnect all others. Shared connects are allowed as long
2456          * as no exclusive connection exists.
2457          *
2458          * This is how the rfb spec suggests to handle the shared flag.
2459          */
2460         if (mode == VNC_SHARE_MODE_EXCLUSIVE) {
2461             VncState *client;
2462             QTAILQ_FOREACH(client, &vs->vd->clients, next) {
2463                 if (vs == client) {
2464                     continue;
2465                 }
2466                 if (client->share_mode != VNC_SHARE_MODE_EXCLUSIVE &&
2467                     client->share_mode != VNC_SHARE_MODE_SHARED) {
2468                     continue;
2469                 }
2470                 vnc_disconnect_start(client);
2471             }
2472         }
2473         if (mode == VNC_SHARE_MODE_SHARED) {
2474             if (vs->vd->num_exclusive > 0) {
2475                 vnc_disconnect_start(vs);
2476                 return 0;
2477             }
2478         }
2479         break;
2480     case VNC_SHARE_POLICY_FORCE_SHARED:
2481         /*
2482          * Policy: Shared connects only.
2483          * Implementation: Disallow clients asking for exclusive access.
2484          *
2485          * Useful for shared desktop sessions where you don't want
2486          * someone forgetting to say -shared when running the vnc
2487          * client disconnect everybody else.
2488          */
2489         if (mode == VNC_SHARE_MODE_EXCLUSIVE) {
2490             vnc_disconnect_start(vs);
2491             return 0;
2492         }
2493         break;
2494     }
2495     vnc_set_share_mode(vs, mode);
2496 
2497     if (vs->vd->num_shared > vs->vd->connections_limit) {
2498         vnc_disconnect_start(vs);
2499         return 0;
2500     }
2501 
2502     assert(pixman_image_get_width(vs->vd->server) < 65536 &&
2503            pixman_image_get_width(vs->vd->server) >= 0);
2504     assert(pixman_image_get_height(vs->vd->server) < 65536 &&
2505            pixman_image_get_height(vs->vd->server) >= 0);
2506     vs->client_width = pixman_image_get_width(vs->vd->server);
2507     vs->client_height = pixman_image_get_height(vs->vd->server);
2508     vnc_write_u16(vs, vs->client_width);
2509     vnc_write_u16(vs, vs->client_height);
2510 
2511     pixel_format_message(vs);
2512 
2513     if (qemu_name) {
2514         size = snprintf(buf, sizeof(buf), "QEMU (%s)", qemu_name);
2515         if (size > sizeof(buf)) {
2516             size = sizeof(buf);
2517         }
2518     } else {
2519         size = snprintf(buf, sizeof(buf), "QEMU");
2520     }
2521 
2522     vnc_write_u32(vs, size);
2523     vnc_write(vs, buf, size);
2524     vnc_flush(vs);
2525 
2526     vnc_client_cache_auth(vs);
2527     vnc_qmp_event(vs, QAPI_EVENT_VNC_INITIALIZED);
2528 
2529     vnc_read_when(vs, protocol_client_msg, 1);
2530 
2531     return 0;
2532 }
2533 
2534 void start_client_init(VncState *vs)
2535 {
2536     vnc_read_when(vs, protocol_client_init, 1);
2537 }
2538 
2539 static void authentication_failed(VncState *vs)
2540 {
2541     vnc_write_u32(vs, 1); /* Reject auth */
2542     if (vs->minor >= 8) {
2543         static const char err[] = "Authentication failed";
2544         vnc_write_u32(vs, sizeof(err));
2545         vnc_write(vs, err, sizeof(err));
2546     }
2547     vnc_flush(vs);
2548     vnc_client_error(vs);
2549 }
2550 
2551 static int protocol_client_auth_vnc(VncState *vs, uint8_t *data, size_t len)
2552 {
2553     unsigned char response[VNC_AUTH_CHALLENGE_SIZE];
2554     size_t i, pwlen;
2555     unsigned char key[8];
2556     time_t now = time(NULL);
2557     QCryptoCipher *cipher = NULL;
2558     Error *err = NULL;
2559 
2560     if (!vs->vd->password) {
2561         trace_vnc_auth_fail(vs, vs->auth, "password is not set", "");
2562         goto reject;
2563     }
2564     if (vs->vd->expires < now) {
2565         trace_vnc_auth_fail(vs, vs->auth, "password is expired", "");
2566         goto reject;
2567     }
2568 
2569     memcpy(response, vs->challenge, VNC_AUTH_CHALLENGE_SIZE);
2570 
2571     /* Calculate the expected challenge response */
2572     pwlen = strlen(vs->vd->password);
2573     for (i=0; i<sizeof(key); i++)
2574         key[i] = i<pwlen ? vs->vd->password[i] : 0;
2575 
2576     cipher = qcrypto_cipher_new(
2577         QCRYPTO_CIPHER_ALG_DES_RFB,
2578         QCRYPTO_CIPHER_MODE_ECB,
2579         key, G_N_ELEMENTS(key),
2580         &err);
2581     if (!cipher) {
2582         trace_vnc_auth_fail(vs, vs->auth, "cannot create cipher",
2583                             error_get_pretty(err));
2584         error_free(err);
2585         goto reject;
2586     }
2587 
2588     if (qcrypto_cipher_encrypt(cipher,
2589                                vs->challenge,
2590                                response,
2591                                VNC_AUTH_CHALLENGE_SIZE,
2592                                &err) < 0) {
2593         trace_vnc_auth_fail(vs, vs->auth, "cannot encrypt challenge response",
2594                             error_get_pretty(err));
2595         error_free(err);
2596         goto reject;
2597     }
2598 
2599     /* Compare expected vs actual challenge response */
2600     if (memcmp(response, data, VNC_AUTH_CHALLENGE_SIZE) != 0) {
2601         trace_vnc_auth_fail(vs, vs->auth, "mis-matched challenge response", "");
2602         goto reject;
2603     } else {
2604         trace_vnc_auth_pass(vs, vs->auth);
2605         vnc_write_u32(vs, 0); /* Accept auth */
2606         vnc_flush(vs);
2607 
2608         start_client_init(vs);
2609     }
2610 
2611     qcrypto_cipher_free(cipher);
2612     return 0;
2613 
2614 reject:
2615     authentication_failed(vs);
2616     qcrypto_cipher_free(cipher);
2617     return 0;
2618 }
2619 
2620 void start_auth_vnc(VncState *vs)
2621 {
2622     Error *err = NULL;
2623 
2624     if (qcrypto_random_bytes(vs->challenge, sizeof(vs->challenge), &err)) {
2625         trace_vnc_auth_fail(vs, vs->auth, "cannot get random bytes",
2626                             error_get_pretty(err));
2627         error_free(err);
2628         authentication_failed(vs);
2629         return;
2630     }
2631 
2632     /* Send client a 'random' challenge */
2633     vnc_write(vs, vs->challenge, sizeof(vs->challenge));
2634     vnc_flush(vs);
2635 
2636     vnc_read_when(vs, protocol_client_auth_vnc, sizeof(vs->challenge));
2637 }
2638 
2639 
2640 static int protocol_client_auth(VncState *vs, uint8_t *data, size_t len)
2641 {
2642     /* We only advertise 1 auth scheme at a time, so client
2643      * must pick the one we sent. Verify this */
2644     if (data[0] != vs->auth) { /* Reject auth */
2645        trace_vnc_auth_reject(vs, vs->auth, (int)data[0]);
2646        authentication_failed(vs);
2647     } else { /* Accept requested auth */
2648        trace_vnc_auth_start(vs, vs->auth);
2649        switch (vs->auth) {
2650        case VNC_AUTH_NONE:
2651            if (vs->minor >= 8) {
2652                vnc_write_u32(vs, 0); /* Accept auth completion */
2653                vnc_flush(vs);
2654            }
2655            trace_vnc_auth_pass(vs, vs->auth);
2656            start_client_init(vs);
2657            break;
2658 
2659        case VNC_AUTH_VNC:
2660            start_auth_vnc(vs);
2661            break;
2662 
2663        case VNC_AUTH_VENCRYPT:
2664            start_auth_vencrypt(vs);
2665            break;
2666 
2667 #ifdef CONFIG_VNC_SASL
2668        case VNC_AUTH_SASL:
2669            start_auth_sasl(vs);
2670            break;
2671 #endif /* CONFIG_VNC_SASL */
2672 
2673        default: /* Should not be possible, but just in case */
2674            trace_vnc_auth_fail(vs, vs->auth, "Unhandled auth method", "");
2675            authentication_failed(vs);
2676        }
2677     }
2678     return 0;
2679 }
2680 
2681 static int protocol_version(VncState *vs, uint8_t *version, size_t len)
2682 {
2683     char local[13];
2684 
2685     memcpy(local, version, 12);
2686     local[12] = 0;
2687 
2688     if (sscanf(local, "RFB %03d.%03d\n", &vs->major, &vs->minor) != 2) {
2689         VNC_DEBUG("Malformed protocol version %s\n", local);
2690         vnc_client_error(vs);
2691         return 0;
2692     }
2693     VNC_DEBUG("Client request protocol version %d.%d\n", vs->major, vs->minor);
2694     if (vs->major != 3 ||
2695         (vs->minor != 3 &&
2696          vs->minor != 4 &&
2697          vs->minor != 5 &&
2698          vs->minor != 7 &&
2699          vs->minor != 8)) {
2700         VNC_DEBUG("Unsupported client version\n");
2701         vnc_write_u32(vs, VNC_AUTH_INVALID);
2702         vnc_flush(vs);
2703         vnc_client_error(vs);
2704         return 0;
2705     }
2706     /* Some broken clients report v3.4 or v3.5, which spec requires to be treated
2707      * as equivalent to v3.3 by servers
2708      */
2709     if (vs->minor == 4 || vs->minor == 5)
2710         vs->minor = 3;
2711 
2712     if (vs->minor == 3) {
2713         trace_vnc_auth_start(vs, vs->auth);
2714         if (vs->auth == VNC_AUTH_NONE) {
2715             vnc_write_u32(vs, vs->auth);
2716             vnc_flush(vs);
2717             trace_vnc_auth_pass(vs, vs->auth);
2718             start_client_init(vs);
2719        } else if (vs->auth == VNC_AUTH_VNC) {
2720             VNC_DEBUG("Tell client VNC auth\n");
2721             vnc_write_u32(vs, vs->auth);
2722             vnc_flush(vs);
2723             start_auth_vnc(vs);
2724        } else {
2725             trace_vnc_auth_fail(vs, vs->auth,
2726                                 "Unsupported auth method for v3.3", "");
2727             vnc_write_u32(vs, VNC_AUTH_INVALID);
2728             vnc_flush(vs);
2729             vnc_client_error(vs);
2730        }
2731     } else {
2732         vnc_write_u8(vs, 1); /* num auth */
2733         vnc_write_u8(vs, vs->auth);
2734         vnc_read_when(vs, protocol_client_auth, 1);
2735         vnc_flush(vs);
2736     }
2737 
2738     return 0;
2739 }
2740 
2741 static VncRectStat *vnc_stat_rect(VncDisplay *vd, int x, int y)
2742 {
2743     struct VncSurface *vs = &vd->guest;
2744 
2745     return &vs->stats[y / VNC_STAT_RECT][x / VNC_STAT_RECT];
2746 }
2747 
2748 void vnc_sent_lossy_rect(VncState *vs, int x, int y, int w, int h)
2749 {
2750     int i, j;
2751 
2752     w = (x + w) / VNC_STAT_RECT;
2753     h = (y + h) / VNC_STAT_RECT;
2754     x /= VNC_STAT_RECT;
2755     y /= VNC_STAT_RECT;
2756 
2757     for (j = y; j <= h; j++) {
2758         for (i = x; i <= w; i++) {
2759             vs->lossy_rect[j][i] = 1;
2760         }
2761     }
2762 }
2763 
2764 static int vnc_refresh_lossy_rect(VncDisplay *vd, int x, int y)
2765 {
2766     VncState *vs;
2767     int sty = y / VNC_STAT_RECT;
2768     int stx = x / VNC_STAT_RECT;
2769     int has_dirty = 0;
2770 
2771     y = QEMU_ALIGN_DOWN(y, VNC_STAT_RECT);
2772     x = QEMU_ALIGN_DOWN(x, VNC_STAT_RECT);
2773 
2774     QTAILQ_FOREACH(vs, &vd->clients, next) {
2775         int j;
2776 
2777         /* kernel send buffers are full -> refresh later */
2778         if (vs->output.offset) {
2779             continue;
2780         }
2781 
2782         if (!vs->lossy_rect[sty][stx]) {
2783             continue;
2784         }
2785 
2786         vs->lossy_rect[sty][stx] = 0;
2787         for (j = 0; j < VNC_STAT_RECT; ++j) {
2788             bitmap_set(vs->dirty[y + j],
2789                        x / VNC_DIRTY_PIXELS_PER_BIT,
2790                        VNC_STAT_RECT / VNC_DIRTY_PIXELS_PER_BIT);
2791         }
2792         has_dirty++;
2793     }
2794 
2795     return has_dirty;
2796 }
2797 
2798 static int vnc_update_stats(VncDisplay *vd,  struct timeval * tv)
2799 {
2800     int width = MIN(pixman_image_get_width(vd->guest.fb),
2801                     pixman_image_get_width(vd->server));
2802     int height = MIN(pixman_image_get_height(vd->guest.fb),
2803                      pixman_image_get_height(vd->server));
2804     int x, y;
2805     struct timeval res;
2806     int has_dirty = 0;
2807 
2808     for (y = 0; y < height; y += VNC_STAT_RECT) {
2809         for (x = 0; x < width; x += VNC_STAT_RECT) {
2810             VncRectStat *rect = vnc_stat_rect(vd, x, y);
2811 
2812             rect->updated = false;
2813         }
2814     }
2815 
2816     qemu_timersub(tv, &VNC_REFRESH_STATS, &res);
2817 
2818     if (timercmp(&vd->guest.last_freq_check, &res, >)) {
2819         return has_dirty;
2820     }
2821     vd->guest.last_freq_check = *tv;
2822 
2823     for (y = 0; y < height; y += VNC_STAT_RECT) {
2824         for (x = 0; x < width; x += VNC_STAT_RECT) {
2825             VncRectStat *rect= vnc_stat_rect(vd, x, y);
2826             int count = ARRAY_SIZE(rect->times);
2827             struct timeval min, max;
2828 
2829             if (!timerisset(&rect->times[count - 1])) {
2830                 continue ;
2831             }
2832 
2833             max = rect->times[(rect->idx + count - 1) % count];
2834             qemu_timersub(tv, &max, &res);
2835 
2836             if (timercmp(&res, &VNC_REFRESH_LOSSY, >)) {
2837                 rect->freq = 0;
2838                 has_dirty += vnc_refresh_lossy_rect(vd, x, y);
2839                 memset(rect->times, 0, sizeof (rect->times));
2840                 continue ;
2841             }
2842 
2843             min = rect->times[rect->idx];
2844             max = rect->times[(rect->idx + count - 1) % count];
2845             qemu_timersub(&max, &min, &res);
2846 
2847             rect->freq = res.tv_sec + res.tv_usec / 1000000.;
2848             rect->freq /= count;
2849             rect->freq = 1. / rect->freq;
2850         }
2851     }
2852     return has_dirty;
2853 }
2854 
2855 double vnc_update_freq(VncState *vs, int x, int y, int w, int h)
2856 {
2857     int i, j;
2858     double total = 0;
2859     int num = 0;
2860 
2861     x =  QEMU_ALIGN_DOWN(x, VNC_STAT_RECT);
2862     y =  QEMU_ALIGN_DOWN(y, VNC_STAT_RECT);
2863 
2864     for (j = y; j <= y + h; j += VNC_STAT_RECT) {
2865         for (i = x; i <= x + w; i += VNC_STAT_RECT) {
2866             total += vnc_stat_rect(vs->vd, i, j)->freq;
2867             num++;
2868         }
2869     }
2870 
2871     if (num) {
2872         return total / num;
2873     } else {
2874         return 0;
2875     }
2876 }
2877 
2878 static void vnc_rect_updated(VncDisplay *vd, int x, int y, struct timeval * tv)
2879 {
2880     VncRectStat *rect;
2881 
2882     rect = vnc_stat_rect(vd, x, y);
2883     if (rect->updated) {
2884         return ;
2885     }
2886     rect->times[rect->idx] = *tv;
2887     rect->idx = (rect->idx + 1) % ARRAY_SIZE(rect->times);
2888     rect->updated = true;
2889 }
2890 
2891 static int vnc_refresh_server_surface(VncDisplay *vd)
2892 {
2893     int width = MIN(pixman_image_get_width(vd->guest.fb),
2894                     pixman_image_get_width(vd->server));
2895     int height = MIN(pixman_image_get_height(vd->guest.fb),
2896                      pixman_image_get_height(vd->server));
2897     int cmp_bytes, server_stride, line_bytes, guest_ll, guest_stride, y = 0;
2898     uint8_t *guest_row0 = NULL, *server_row0;
2899     VncState *vs;
2900     int has_dirty = 0;
2901     pixman_image_t *tmpbuf = NULL;
2902 
2903     struct timeval tv = { 0, 0 };
2904 
2905     if (!vd->non_adaptive) {
2906         gettimeofday(&tv, NULL);
2907         has_dirty = vnc_update_stats(vd, &tv);
2908     }
2909 
2910     /*
2911      * Walk through the guest dirty map.
2912      * Check and copy modified bits from guest to server surface.
2913      * Update server dirty map.
2914      */
2915     server_row0 = (uint8_t *)pixman_image_get_data(vd->server);
2916     server_stride = guest_stride = guest_ll =
2917         pixman_image_get_stride(vd->server);
2918     cmp_bytes = MIN(VNC_DIRTY_PIXELS_PER_BIT * VNC_SERVER_FB_BYTES,
2919                     server_stride);
2920     if (vd->guest.format != VNC_SERVER_FB_FORMAT) {
2921         int width = pixman_image_get_width(vd->server);
2922         tmpbuf = qemu_pixman_linebuf_create(VNC_SERVER_FB_FORMAT, width);
2923     } else {
2924         int guest_bpp =
2925             PIXMAN_FORMAT_BPP(pixman_image_get_format(vd->guest.fb));
2926         guest_row0 = (uint8_t *)pixman_image_get_data(vd->guest.fb);
2927         guest_stride = pixman_image_get_stride(vd->guest.fb);
2928         guest_ll = pixman_image_get_width(vd->guest.fb)
2929                    * DIV_ROUND_UP(guest_bpp, 8);
2930     }
2931     line_bytes = MIN(server_stride, guest_ll);
2932 
2933     for (;;) {
2934         int x;
2935         uint8_t *guest_ptr, *server_ptr;
2936         unsigned long offset = find_next_bit((unsigned long *) &vd->guest.dirty,
2937                                              height * VNC_DIRTY_BPL(&vd->guest),
2938                                              y * VNC_DIRTY_BPL(&vd->guest));
2939         if (offset == height * VNC_DIRTY_BPL(&vd->guest)) {
2940             /* no more dirty bits */
2941             break;
2942         }
2943         y = offset / VNC_DIRTY_BPL(&vd->guest);
2944         x = offset % VNC_DIRTY_BPL(&vd->guest);
2945 
2946         server_ptr = server_row0 + y * server_stride + x * cmp_bytes;
2947 
2948         if (vd->guest.format != VNC_SERVER_FB_FORMAT) {
2949             qemu_pixman_linebuf_fill(tmpbuf, vd->guest.fb, width, 0, y);
2950             guest_ptr = (uint8_t *)pixman_image_get_data(tmpbuf);
2951         } else {
2952             guest_ptr = guest_row0 + y * guest_stride;
2953         }
2954         guest_ptr += x * cmp_bytes;
2955 
2956         for (; x < DIV_ROUND_UP(width, VNC_DIRTY_PIXELS_PER_BIT);
2957              x++, guest_ptr += cmp_bytes, server_ptr += cmp_bytes) {
2958             int _cmp_bytes = cmp_bytes;
2959             if (!test_and_clear_bit(x, vd->guest.dirty[y])) {
2960                 continue;
2961             }
2962             if ((x + 1) * cmp_bytes > line_bytes) {
2963                 _cmp_bytes = line_bytes - x * cmp_bytes;
2964             }
2965             assert(_cmp_bytes >= 0);
2966             if (memcmp(server_ptr, guest_ptr, _cmp_bytes) == 0) {
2967                 continue;
2968             }
2969             memcpy(server_ptr, guest_ptr, _cmp_bytes);
2970             if (!vd->non_adaptive) {
2971                 vnc_rect_updated(vd, x * VNC_DIRTY_PIXELS_PER_BIT,
2972                                  y, &tv);
2973             }
2974             QTAILQ_FOREACH(vs, &vd->clients, next) {
2975                 set_bit(x, vs->dirty[y]);
2976             }
2977             has_dirty++;
2978         }
2979 
2980         y++;
2981     }
2982     qemu_pixman_image_unref(tmpbuf);
2983     return has_dirty;
2984 }
2985 
2986 static void vnc_refresh(DisplayChangeListener *dcl)
2987 {
2988     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
2989     VncState *vs, *vn;
2990     int has_dirty, rects = 0;
2991 
2992     if (QTAILQ_EMPTY(&vd->clients)) {
2993         update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_MAX);
2994         return;
2995     }
2996 
2997     graphic_hw_update(vd->dcl.con);
2998 
2999     if (vnc_trylock_display(vd)) {
3000         update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
3001         return;
3002     }
3003 
3004     has_dirty = vnc_refresh_server_surface(vd);
3005     vnc_unlock_display(vd);
3006 
3007     QTAILQ_FOREACH_SAFE(vs, &vd->clients, next, vn) {
3008         rects += vnc_update_client(vs, has_dirty);
3009         /* vs might be free()ed here */
3010     }
3011 
3012     if (has_dirty && rects) {
3013         vd->dcl.update_interval /= 2;
3014         if (vd->dcl.update_interval < VNC_REFRESH_INTERVAL_BASE) {
3015             vd->dcl.update_interval = VNC_REFRESH_INTERVAL_BASE;
3016         }
3017     } else {
3018         vd->dcl.update_interval += VNC_REFRESH_INTERVAL_INC;
3019         if (vd->dcl.update_interval > VNC_REFRESH_INTERVAL_MAX) {
3020             vd->dcl.update_interval = VNC_REFRESH_INTERVAL_MAX;
3021         }
3022     }
3023 }
3024 
3025 static void vnc_connect(VncDisplay *vd, QIOChannelSocket *sioc,
3026                         bool skipauth, bool websocket)
3027 {
3028     VncState *vs = g_new0(VncState, 1);
3029     bool first_client = QTAILQ_EMPTY(&vd->clients);
3030     int i;
3031 
3032     trace_vnc_client_connect(vs, sioc);
3033     vs->magic = VNC_MAGIC;
3034     vs->sioc = sioc;
3035     object_ref(OBJECT(vs->sioc));
3036     vs->ioc = QIO_CHANNEL(sioc);
3037     object_ref(OBJECT(vs->ioc));
3038     vs->vd = vd;
3039 
3040     buffer_init(&vs->input,          "vnc-input/%p", sioc);
3041     buffer_init(&vs->output,         "vnc-output/%p", sioc);
3042     buffer_init(&vs->jobs_buffer,    "vnc-jobs_buffer/%p", sioc);
3043 
3044     buffer_init(&vs->tight.tight,    "vnc-tight/%p", sioc);
3045     buffer_init(&vs->tight.zlib,     "vnc-tight-zlib/%p", sioc);
3046     buffer_init(&vs->tight.gradient, "vnc-tight-gradient/%p", sioc);
3047 #ifdef CONFIG_VNC_JPEG
3048     buffer_init(&vs->tight.jpeg,     "vnc-tight-jpeg/%p", sioc);
3049 #endif
3050 #ifdef CONFIG_VNC_PNG
3051     buffer_init(&vs->tight.png,      "vnc-tight-png/%p", sioc);
3052 #endif
3053     buffer_init(&vs->zlib.zlib,      "vnc-zlib/%p", sioc);
3054     buffer_init(&vs->zrle.zrle,      "vnc-zrle/%p", sioc);
3055     buffer_init(&vs->zrle.fb,        "vnc-zrle-fb/%p", sioc);
3056     buffer_init(&vs->zrle.zlib,      "vnc-zrle-zlib/%p", sioc);
3057 
3058     if (skipauth) {
3059         vs->auth = VNC_AUTH_NONE;
3060         vs->subauth = VNC_AUTH_INVALID;
3061     } else {
3062         if (websocket) {
3063             vs->auth = vd->ws_auth;
3064             vs->subauth = VNC_AUTH_INVALID;
3065         } else {
3066             vs->auth = vd->auth;
3067             vs->subauth = vd->subauth;
3068         }
3069     }
3070     VNC_DEBUG("Client sioc=%p ws=%d auth=%d subauth=%d\n",
3071               sioc, websocket, vs->auth, vs->subauth);
3072 
3073     vs->lossy_rect = g_malloc0(VNC_STAT_ROWS * sizeof (*vs->lossy_rect));
3074     for (i = 0; i < VNC_STAT_ROWS; ++i) {
3075         vs->lossy_rect[i] = g_new0(uint8_t, VNC_STAT_COLS);
3076     }
3077 
3078     VNC_DEBUG("New client on socket %p\n", vs->sioc);
3079     update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
3080     qio_channel_set_blocking(vs->ioc, false, NULL);
3081     if (vs->ioc_tag) {
3082         g_source_remove(vs->ioc_tag);
3083     }
3084     if (websocket) {
3085         vs->websocket = 1;
3086         if (vd->tlscreds) {
3087             vs->ioc_tag = qio_channel_add_watch(
3088                 vs->ioc, G_IO_IN, vncws_tls_handshake_io, vs, NULL);
3089         } else {
3090             vs->ioc_tag = qio_channel_add_watch(
3091                 vs->ioc, G_IO_IN, vncws_handshake_io, vs, NULL);
3092         }
3093     } else {
3094         vs->ioc_tag = qio_channel_add_watch(
3095             vs->ioc, G_IO_IN, vnc_client_io, vs, NULL);
3096     }
3097 
3098     vnc_client_cache_addr(vs);
3099     vnc_qmp_event(vs, QAPI_EVENT_VNC_CONNECTED);
3100     vnc_set_share_mode(vs, VNC_SHARE_MODE_CONNECTING);
3101 
3102     vs->last_x = -1;
3103     vs->last_y = -1;
3104 
3105     vs->as.freq = 44100;
3106     vs->as.nchannels = 2;
3107     vs->as.fmt = AUDIO_FORMAT_S16;
3108     vs->as.endianness = 0;
3109 
3110     qemu_mutex_init(&vs->output_mutex);
3111     vs->bh = qemu_bh_new(vnc_jobs_bh, vs);
3112 
3113     QTAILQ_INSERT_TAIL(&vd->clients, vs, next);
3114     if (first_client) {
3115         vnc_update_server_surface(vd);
3116     }
3117 
3118     graphic_hw_update(vd->dcl.con);
3119 
3120     if (!vs->websocket) {
3121         vnc_start_protocol(vs);
3122     }
3123 
3124     if (vd->num_connecting > vd->connections_limit) {
3125         QTAILQ_FOREACH(vs, &vd->clients, next) {
3126             if (vs->share_mode == VNC_SHARE_MODE_CONNECTING) {
3127                 vnc_disconnect_start(vs);
3128                 return;
3129             }
3130         }
3131     }
3132 }
3133 
3134 void vnc_start_protocol(VncState *vs)
3135 {
3136     vnc_write(vs, "RFB 003.008\n", 12);
3137     vnc_flush(vs);
3138     vnc_read_when(vs, protocol_version, 12);
3139 
3140     vs->mouse_mode_notifier.notify = check_pointer_type_change;
3141     qemu_add_mouse_mode_change_notifier(&vs->mouse_mode_notifier);
3142 }
3143 
3144 static void vnc_listen_io(QIONetListener *listener,
3145                           QIOChannelSocket *cioc,
3146                           void *opaque)
3147 {
3148     VncDisplay *vd = opaque;
3149     bool isWebsock = listener == vd->wslistener;
3150 
3151     qio_channel_set_name(QIO_CHANNEL(cioc),
3152                          isWebsock ? "vnc-ws-server" : "vnc-server");
3153     qio_channel_set_delay(QIO_CHANNEL(cioc), false);
3154     vnc_connect(vd, cioc, false, isWebsock);
3155 }
3156 
3157 static const DisplayChangeListenerOps dcl_ops = {
3158     .dpy_name             = "vnc",
3159     .dpy_refresh          = vnc_refresh,
3160     .dpy_gfx_update       = vnc_dpy_update,
3161     .dpy_gfx_switch       = vnc_dpy_switch,
3162     .dpy_gfx_check_format = qemu_pixman_check_format,
3163     .dpy_mouse_set        = vnc_mouse_set,
3164     .dpy_cursor_define    = vnc_dpy_cursor_define,
3165 };
3166 
3167 void vnc_display_init(const char *id, Error **errp)
3168 {
3169     VncDisplay *vd;
3170 
3171     if (vnc_display_find(id) != NULL) {
3172         return;
3173     }
3174     vd = g_malloc0(sizeof(*vd));
3175 
3176     vd->id = strdup(id);
3177     QTAILQ_INSERT_TAIL(&vnc_displays, vd, next);
3178 
3179     QTAILQ_INIT(&vd->clients);
3180     vd->expires = TIME_MAX;
3181 
3182     if (keyboard_layout) {
3183         trace_vnc_key_map_init(keyboard_layout);
3184         vd->kbd_layout = init_keyboard_layout(name2keysym,
3185                                               keyboard_layout, errp);
3186     } else {
3187         vd->kbd_layout = init_keyboard_layout(name2keysym, "en-us", errp);
3188     }
3189 
3190     if (!vd->kbd_layout) {
3191         return;
3192     }
3193 
3194     vd->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
3195     vd->connections_limit = 32;
3196 
3197     qemu_mutex_init(&vd->mutex);
3198     vnc_start_worker_thread();
3199 
3200     vd->dcl.ops = &dcl_ops;
3201     register_displaychangelistener(&vd->dcl);
3202     vd->kbd = qkbd_state_init(vd->dcl.con);
3203 }
3204 
3205 
3206 static void vnc_display_close(VncDisplay *vd)
3207 {
3208     if (!vd) {
3209         return;
3210     }
3211     vd->is_unix = false;
3212 
3213     if (vd->listener) {
3214         qio_net_listener_disconnect(vd->listener);
3215         object_unref(OBJECT(vd->listener));
3216     }
3217     vd->listener = NULL;
3218 
3219     if (vd->wslistener) {
3220         qio_net_listener_disconnect(vd->wslistener);
3221         object_unref(OBJECT(vd->wslistener));
3222     }
3223     vd->wslistener = NULL;
3224 
3225     vd->auth = VNC_AUTH_INVALID;
3226     vd->subauth = VNC_AUTH_INVALID;
3227     if (vd->tlscreds) {
3228         object_unparent(OBJECT(vd->tlscreds));
3229         vd->tlscreds = NULL;
3230     }
3231     if (vd->tlsauthz) {
3232         object_unparent(OBJECT(vd->tlsauthz));
3233         vd->tlsauthz = NULL;
3234     }
3235     g_free(vd->tlsauthzid);
3236     vd->tlsauthzid = NULL;
3237     if (vd->lock_key_sync) {
3238         qemu_remove_led_event_handler(vd->led);
3239         vd->led = NULL;
3240     }
3241 #ifdef CONFIG_VNC_SASL
3242     if (vd->sasl.authz) {
3243         object_unparent(OBJECT(vd->sasl.authz));
3244         vd->sasl.authz = NULL;
3245     }
3246     g_free(vd->sasl.authzid);
3247     vd->sasl.authzid = NULL;
3248 #endif
3249 }
3250 
3251 int vnc_display_password(const char *id, const char *password)
3252 {
3253     VncDisplay *vd = vnc_display_find(id);
3254 
3255     if (!vd) {
3256         return -EINVAL;
3257     }
3258     if (vd->auth == VNC_AUTH_NONE) {
3259         error_printf_unless_qmp("If you want use passwords please enable "
3260                                 "password auth using '-vnc ${dpy},password'.\n");
3261         return -EINVAL;
3262     }
3263 
3264     g_free(vd->password);
3265     vd->password = g_strdup(password);
3266 
3267     return 0;
3268 }
3269 
3270 int vnc_display_pw_expire(const char *id, time_t expires)
3271 {
3272     VncDisplay *vd = vnc_display_find(id);
3273 
3274     if (!vd) {
3275         return -EINVAL;
3276     }
3277 
3278     vd->expires = expires;
3279     return 0;
3280 }
3281 
3282 static void vnc_display_print_local_addr(VncDisplay *vd)
3283 {
3284     SocketAddress *addr;
3285     Error *err = NULL;
3286 
3287     if (!vd->listener || !vd->listener->nsioc) {
3288         return;
3289     }
3290 
3291     addr = qio_channel_socket_get_local_address(vd->listener->sioc[0], &err);
3292     if (!addr) {
3293         return;
3294     }
3295 
3296     if (addr->type != SOCKET_ADDRESS_TYPE_INET) {
3297         qapi_free_SocketAddress(addr);
3298         return;
3299     }
3300     error_printf_unless_qmp("VNC server running on %s:%s\n",
3301                             addr->u.inet.host,
3302                             addr->u.inet.port);
3303     qapi_free_SocketAddress(addr);
3304 }
3305 
3306 static QemuOptsList qemu_vnc_opts = {
3307     .name = "vnc",
3308     .head = QTAILQ_HEAD_INITIALIZER(qemu_vnc_opts.head),
3309     .implied_opt_name = "vnc",
3310     .desc = {
3311         {
3312             .name = "vnc",
3313             .type = QEMU_OPT_STRING,
3314         },{
3315             .name = "websocket",
3316             .type = QEMU_OPT_STRING,
3317         },{
3318             .name = "tls-creds",
3319             .type = QEMU_OPT_STRING,
3320         },{
3321             .name = "share",
3322             .type = QEMU_OPT_STRING,
3323         },{
3324             .name = "display",
3325             .type = QEMU_OPT_STRING,
3326         },{
3327             .name = "head",
3328             .type = QEMU_OPT_NUMBER,
3329         },{
3330             .name = "connections",
3331             .type = QEMU_OPT_NUMBER,
3332         },{
3333             .name = "to",
3334             .type = QEMU_OPT_NUMBER,
3335         },{
3336             .name = "ipv4",
3337             .type = QEMU_OPT_BOOL,
3338         },{
3339             .name = "ipv6",
3340             .type = QEMU_OPT_BOOL,
3341         },{
3342             .name = "password",
3343             .type = QEMU_OPT_BOOL,
3344         },{
3345             .name = "reverse",
3346             .type = QEMU_OPT_BOOL,
3347         },{
3348             .name = "lock-key-sync",
3349             .type = QEMU_OPT_BOOL,
3350         },{
3351             .name = "key-delay-ms",
3352             .type = QEMU_OPT_NUMBER,
3353         },{
3354             .name = "sasl",
3355             .type = QEMU_OPT_BOOL,
3356         },{
3357             .name = "acl",
3358             .type = QEMU_OPT_BOOL,
3359         },{
3360             .name = "tls-authz",
3361             .type = QEMU_OPT_STRING,
3362         },{
3363             .name = "sasl-authz",
3364             .type = QEMU_OPT_STRING,
3365         },{
3366             .name = "lossy",
3367             .type = QEMU_OPT_BOOL,
3368         },{
3369             .name = "non-adaptive",
3370             .type = QEMU_OPT_BOOL,
3371         },
3372         { /* end of list */ }
3373     },
3374 };
3375 
3376 
3377 static int
3378 vnc_display_setup_auth(int *auth,
3379                        int *subauth,
3380                        QCryptoTLSCreds *tlscreds,
3381                        bool password,
3382                        bool sasl,
3383                        bool websocket,
3384                        Error **errp)
3385 {
3386     /*
3387      * We have a choice of 3 authentication options
3388      *
3389      *   1. none
3390      *   2. vnc
3391      *   3. sasl
3392      *
3393      * The channel can be run in 2 modes
3394      *
3395      *   1. clear
3396      *   2. tls
3397      *
3398      * And TLS can use 2 types of credentials
3399      *
3400      *   1. anon
3401      *   2. x509
3402      *
3403      * We thus have 9 possible logical combinations
3404      *
3405      *   1. clear + none
3406      *   2. clear + vnc
3407      *   3. clear + sasl
3408      *   4. tls + anon + none
3409      *   5. tls + anon + vnc
3410      *   6. tls + anon + sasl
3411      *   7. tls + x509 + none
3412      *   8. tls + x509 + vnc
3413      *   9. tls + x509 + sasl
3414      *
3415      * These need to be mapped into the VNC auth schemes
3416      * in an appropriate manner. In regular VNC, all the
3417      * TLS options get mapped into VNC_AUTH_VENCRYPT
3418      * sub-auth types.
3419      *
3420      * In websockets, the https:// protocol already provides
3421      * TLS support, so there is no need to make use of the
3422      * VeNCrypt extension. Furthermore, websockets browser
3423      * clients could not use VeNCrypt even if they wanted to,
3424      * as they cannot control when the TLS handshake takes
3425      * place. Thus there is no option but to rely on https://,
3426      * meaning combinations 4->6 and 7->9 will be mapped to
3427      * VNC auth schemes in the same way as combos 1->3.
3428      *
3429      * Regardless of fact that we have a different mapping to
3430      * VNC auth mechs for plain VNC vs websockets VNC, the end
3431      * result has the same security characteristics.
3432      */
3433     if (websocket || !tlscreds) {
3434         if (password) {
3435             VNC_DEBUG("Initializing VNC server with password auth\n");
3436             *auth = VNC_AUTH_VNC;
3437         } else if (sasl) {
3438             VNC_DEBUG("Initializing VNC server with SASL auth\n");
3439             *auth = VNC_AUTH_SASL;
3440         } else {
3441             VNC_DEBUG("Initializing VNC server with no auth\n");
3442             *auth = VNC_AUTH_NONE;
3443         }
3444         *subauth = VNC_AUTH_INVALID;
3445     } else {
3446         bool is_x509 = object_dynamic_cast(OBJECT(tlscreds),
3447                                            TYPE_QCRYPTO_TLS_CREDS_X509) != NULL;
3448         bool is_anon = object_dynamic_cast(OBJECT(tlscreds),
3449                                            TYPE_QCRYPTO_TLS_CREDS_ANON) != NULL;
3450 
3451         if (!is_x509 && !is_anon) {
3452             error_setg(errp,
3453                        "Unsupported TLS cred type %s",
3454                        object_get_typename(OBJECT(tlscreds)));
3455             return -1;
3456         }
3457         *auth = VNC_AUTH_VENCRYPT;
3458         if (password) {
3459             if (is_x509) {
3460                 VNC_DEBUG("Initializing VNC server with x509 password auth\n");
3461                 *subauth = VNC_AUTH_VENCRYPT_X509VNC;
3462             } else {
3463                 VNC_DEBUG("Initializing VNC server with TLS password auth\n");
3464                 *subauth = VNC_AUTH_VENCRYPT_TLSVNC;
3465             }
3466 
3467         } else if (sasl) {
3468             if (is_x509) {
3469                 VNC_DEBUG("Initializing VNC server with x509 SASL auth\n");
3470                 *subauth = VNC_AUTH_VENCRYPT_X509SASL;
3471             } else {
3472                 VNC_DEBUG("Initializing VNC server with TLS SASL auth\n");
3473                 *subauth = VNC_AUTH_VENCRYPT_TLSSASL;
3474             }
3475         } else {
3476             if (is_x509) {
3477                 VNC_DEBUG("Initializing VNC server with x509 no auth\n");
3478                 *subauth = VNC_AUTH_VENCRYPT_X509NONE;
3479             } else {
3480                 VNC_DEBUG("Initializing VNC server with TLS no auth\n");
3481                 *subauth = VNC_AUTH_VENCRYPT_TLSNONE;
3482             }
3483         }
3484     }
3485     return 0;
3486 }
3487 
3488 
3489 static int vnc_display_get_address(const char *addrstr,
3490                                    bool websocket,
3491                                    bool reverse,
3492                                    int displaynum,
3493                                    int to,
3494                                    bool has_ipv4,
3495                                    bool has_ipv6,
3496                                    bool ipv4,
3497                                    bool ipv6,
3498                                    SocketAddress **retaddr,
3499                                    Error **errp)
3500 {
3501     int ret = -1;
3502     SocketAddress *addr = NULL;
3503 
3504     addr = g_new0(SocketAddress, 1);
3505 
3506     if (strncmp(addrstr, "unix:", 5) == 0) {
3507         addr->type = SOCKET_ADDRESS_TYPE_UNIX;
3508         addr->u.q_unix.path = g_strdup(addrstr + 5);
3509 
3510         if (websocket) {
3511             error_setg(errp, "UNIX sockets not supported with websock");
3512             goto cleanup;
3513         }
3514 
3515         if (to) {
3516             error_setg(errp, "Port range not support with UNIX socket");
3517             goto cleanup;
3518         }
3519         ret = 0;
3520     } else {
3521         const char *port;
3522         size_t hostlen;
3523         unsigned long long baseport = 0;
3524         InetSocketAddress *inet;
3525 
3526         port = strrchr(addrstr, ':');
3527         if (!port) {
3528             if (websocket) {
3529                 hostlen = 0;
3530                 port = addrstr;
3531             } else {
3532                 error_setg(errp, "no vnc port specified");
3533                 goto cleanup;
3534             }
3535         } else {
3536             hostlen = port - addrstr;
3537             port++;
3538             if (*port == '\0') {
3539                 error_setg(errp, "vnc port cannot be empty");
3540                 goto cleanup;
3541             }
3542         }
3543 
3544         addr->type = SOCKET_ADDRESS_TYPE_INET;
3545         inet = &addr->u.inet;
3546         if (addrstr[0] == '[' && addrstr[hostlen - 1] == ']') {
3547             inet->host = g_strndup(addrstr + 1, hostlen - 2);
3548         } else {
3549             inet->host = g_strndup(addrstr, hostlen);
3550         }
3551         /* plain VNC port is just an offset, for websocket
3552          * port is absolute */
3553         if (websocket) {
3554             if (g_str_equal(addrstr, "") ||
3555                 g_str_equal(addrstr, "on")) {
3556                 if (displaynum == -1) {
3557                     error_setg(errp, "explicit websocket port is required");
3558                     goto cleanup;
3559                 }
3560                 inet->port = g_strdup_printf(
3561                     "%d", displaynum + 5700);
3562                 if (to) {
3563                     inet->has_to = true;
3564                     inet->to = to + 5700;
3565                 }
3566             } else {
3567                 inet->port = g_strdup(port);
3568             }
3569         } else {
3570             int offset = reverse ? 0 : 5900;
3571             if (parse_uint_full(port, &baseport, 10) < 0) {
3572                 error_setg(errp, "can't convert to a number: %s", port);
3573                 goto cleanup;
3574             }
3575             if (baseport > 65535 ||
3576                 baseport + offset > 65535) {
3577                 error_setg(errp, "port %s out of range", port);
3578                 goto cleanup;
3579             }
3580             inet->port = g_strdup_printf(
3581                 "%d", (int)baseport + offset);
3582 
3583             if (to) {
3584                 inet->has_to = true;
3585                 inet->to = to + offset;
3586             }
3587         }
3588 
3589         inet->ipv4 = ipv4;
3590         inet->has_ipv4 = has_ipv4;
3591         inet->ipv6 = ipv6;
3592         inet->has_ipv6 = has_ipv6;
3593 
3594         ret = baseport;
3595     }
3596 
3597     *retaddr = addr;
3598 
3599  cleanup:
3600     if (ret < 0) {
3601         qapi_free_SocketAddress(addr);
3602     }
3603     return ret;
3604 }
3605 
3606 static void vnc_free_addresses(SocketAddress ***retsaddr,
3607                                size_t *retnsaddr)
3608 {
3609     size_t i;
3610 
3611     for (i = 0; i < *retnsaddr; i++) {
3612         qapi_free_SocketAddress((*retsaddr)[i]);
3613     }
3614     g_free(*retsaddr);
3615 
3616     *retsaddr = NULL;
3617     *retnsaddr = 0;
3618 }
3619 
3620 static int vnc_display_get_addresses(QemuOpts *opts,
3621                                      bool reverse,
3622                                      SocketAddress ***retsaddr,
3623                                      size_t *retnsaddr,
3624                                      SocketAddress ***retwsaddr,
3625                                      size_t *retnwsaddr,
3626                                      Error **errp)
3627 {
3628     SocketAddress *saddr = NULL;
3629     SocketAddress *wsaddr = NULL;
3630     QemuOptsIter addriter;
3631     const char *addr;
3632     int to = qemu_opt_get_number(opts, "to", 0);
3633     bool has_ipv4 = qemu_opt_get(opts, "ipv4");
3634     bool has_ipv6 = qemu_opt_get(opts, "ipv6");
3635     bool ipv4 = qemu_opt_get_bool(opts, "ipv4", false);
3636     bool ipv6 = qemu_opt_get_bool(opts, "ipv6", false);
3637     int displaynum = -1;
3638     int ret = -1;
3639 
3640     *retsaddr = NULL;
3641     *retnsaddr = 0;
3642     *retwsaddr = NULL;
3643     *retnwsaddr = 0;
3644 
3645     addr = qemu_opt_get(opts, "vnc");
3646     if (addr == NULL || g_str_equal(addr, "none")) {
3647         ret = 0;
3648         goto cleanup;
3649     }
3650     if (qemu_opt_get(opts, "websocket") &&
3651         !qcrypto_hash_supports(QCRYPTO_HASH_ALG_SHA1)) {
3652         error_setg(errp,
3653                    "SHA1 hash support is required for websockets");
3654         goto cleanup;
3655     }
3656 
3657     qemu_opt_iter_init(&addriter, opts, "vnc");
3658     while ((addr = qemu_opt_iter_next(&addriter)) != NULL) {
3659         int rv;
3660         rv = vnc_display_get_address(addr, false, reverse, 0, to,
3661                                      has_ipv4, has_ipv6,
3662                                      ipv4, ipv6,
3663                                      &saddr, errp);
3664         if (rv < 0) {
3665             goto cleanup;
3666         }
3667         /* Historical compat - first listen address can be used
3668          * to set the default websocket port
3669          */
3670         if (displaynum == -1) {
3671             displaynum = rv;
3672         }
3673         *retsaddr = g_renew(SocketAddress *, *retsaddr, *retnsaddr + 1);
3674         (*retsaddr)[(*retnsaddr)++] = saddr;
3675     }
3676 
3677     /* If we had multiple primary displays, we don't do defaults
3678      * for websocket, and require explicit config instead. */
3679     if (*retnsaddr > 1) {
3680         displaynum = -1;
3681     }
3682 
3683     qemu_opt_iter_init(&addriter, opts, "websocket");
3684     while ((addr = qemu_opt_iter_next(&addriter)) != NULL) {
3685         if (vnc_display_get_address(addr, true, reverse, displaynum, to,
3686                                     has_ipv4, has_ipv6,
3687                                     ipv4, ipv6,
3688                                     &wsaddr, errp) < 0) {
3689             goto cleanup;
3690         }
3691 
3692         /* Historical compat - if only a single listen address was
3693          * provided, then this is used to set the default listen
3694          * address for websocket too
3695          */
3696         if (*retnsaddr == 1 &&
3697             (*retsaddr)[0]->type == SOCKET_ADDRESS_TYPE_INET &&
3698             wsaddr->type == SOCKET_ADDRESS_TYPE_INET &&
3699             g_str_equal(wsaddr->u.inet.host, "") &&
3700             !g_str_equal((*retsaddr)[0]->u.inet.host, "")) {
3701             g_free(wsaddr->u.inet.host);
3702             wsaddr->u.inet.host = g_strdup((*retsaddr)[0]->u.inet.host);
3703         }
3704 
3705         *retwsaddr = g_renew(SocketAddress *, *retwsaddr, *retnwsaddr + 1);
3706         (*retwsaddr)[(*retnwsaddr)++] = wsaddr;
3707     }
3708 
3709     ret = 0;
3710  cleanup:
3711     if (ret < 0) {
3712         vnc_free_addresses(retsaddr, retnsaddr);
3713         vnc_free_addresses(retwsaddr, retnwsaddr);
3714     }
3715     return ret;
3716 }
3717 
3718 static int vnc_display_connect(VncDisplay *vd,
3719                                SocketAddress **saddr,
3720                                size_t nsaddr,
3721                                SocketAddress **wsaddr,
3722                                size_t nwsaddr,
3723                                Error **errp)
3724 {
3725     /* connect to viewer */
3726     QIOChannelSocket *sioc = NULL;
3727     if (nwsaddr != 0) {
3728         error_setg(errp, "Cannot use websockets in reverse mode");
3729         return -1;
3730     }
3731     if (nsaddr != 1) {
3732         error_setg(errp, "Expected a single address in reverse mode");
3733         return -1;
3734     }
3735     /* TODO SOCKET_ADDRESS_TYPE_FD when fd has AF_UNIX */
3736     vd->is_unix = saddr[0]->type == SOCKET_ADDRESS_TYPE_UNIX;
3737     sioc = qio_channel_socket_new();
3738     qio_channel_set_name(QIO_CHANNEL(sioc), "vnc-reverse");
3739     if (qio_channel_socket_connect_sync(sioc, saddr[0], errp) < 0) {
3740         return -1;
3741     }
3742     vnc_connect(vd, sioc, false, false);
3743     object_unref(OBJECT(sioc));
3744     return 0;
3745 }
3746 
3747 
3748 static int vnc_display_listen(VncDisplay *vd,
3749                               SocketAddress **saddr,
3750                               size_t nsaddr,
3751                               SocketAddress **wsaddr,
3752                               size_t nwsaddr,
3753                               Error **errp)
3754 {
3755     size_t i;
3756 
3757     if (nsaddr) {
3758         vd->listener = qio_net_listener_new();
3759         qio_net_listener_set_name(vd->listener, "vnc-listen");
3760         for (i = 0; i < nsaddr; i++) {
3761             if (qio_net_listener_open_sync(vd->listener,
3762                                            saddr[i],
3763                                            errp) < 0)  {
3764                 return -1;
3765             }
3766         }
3767 
3768         qio_net_listener_set_client_func(vd->listener,
3769                                          vnc_listen_io, vd, NULL);
3770     }
3771 
3772     if (nwsaddr) {
3773         vd->wslistener = qio_net_listener_new();
3774         qio_net_listener_set_name(vd->wslistener, "vnc-ws-listen");
3775         for (i = 0; i < nwsaddr; i++) {
3776             if (qio_net_listener_open_sync(vd->wslistener,
3777                                            wsaddr[i],
3778                                            errp) < 0)  {
3779                 return -1;
3780             }
3781         }
3782 
3783         qio_net_listener_set_client_func(vd->wslistener,
3784                                          vnc_listen_io, vd, NULL);
3785     }
3786 
3787     return 0;
3788 }
3789 
3790 
3791 void vnc_display_open(const char *id, Error **errp)
3792 {
3793     VncDisplay *vd = vnc_display_find(id);
3794     QemuOpts *opts = qemu_opts_find(&qemu_vnc_opts, id);
3795     SocketAddress **saddr = NULL, **wsaddr = NULL;
3796     size_t nsaddr, nwsaddr;
3797     const char *share, *device_id;
3798     QemuConsole *con;
3799     bool password = false;
3800     bool reverse = false;
3801     const char *credid;
3802     bool sasl = false;
3803     int acl = 0;
3804     const char *tlsauthz;
3805     const char *saslauthz;
3806     int lock_key_sync = 1;
3807     int key_delay_ms;
3808 
3809     if (!vd) {
3810         error_setg(errp, "VNC display not active");
3811         return;
3812     }
3813     vnc_display_close(vd);
3814 
3815     if (!opts) {
3816         return;
3817     }
3818 
3819     reverse = qemu_opt_get_bool(opts, "reverse", false);
3820     if (vnc_display_get_addresses(opts, reverse, &saddr, &nsaddr,
3821                                   &wsaddr, &nwsaddr, errp) < 0) {
3822         goto fail;
3823     }
3824 
3825     password = qemu_opt_get_bool(opts, "password", false);
3826     if (password) {
3827         if (fips_get_state()) {
3828             error_setg(errp,
3829                        "VNC password auth disabled due to FIPS mode, "
3830                        "consider using the VeNCrypt or SASL authentication "
3831                        "methods as an alternative");
3832             goto fail;
3833         }
3834         if (!qcrypto_cipher_supports(
3835                 QCRYPTO_CIPHER_ALG_DES_RFB, QCRYPTO_CIPHER_MODE_ECB)) {
3836             error_setg(errp,
3837                        "Cipher backend does not support DES RFB algorithm");
3838             goto fail;
3839         }
3840     }
3841 
3842     lock_key_sync = qemu_opt_get_bool(opts, "lock-key-sync", true);
3843     key_delay_ms = qemu_opt_get_number(opts, "key-delay-ms", 10);
3844     sasl = qemu_opt_get_bool(opts, "sasl", false);
3845 #ifndef CONFIG_VNC_SASL
3846     if (sasl) {
3847         error_setg(errp, "VNC SASL auth requires cyrus-sasl support");
3848         goto fail;
3849     }
3850 #endif /* CONFIG_VNC_SASL */
3851     credid = qemu_opt_get(opts, "tls-creds");
3852     if (credid) {
3853         Object *creds;
3854         creds = object_resolve_path_component(
3855             object_get_objects_root(), credid);
3856         if (!creds) {
3857             error_setg(errp, "No TLS credentials with id '%s'",
3858                        credid);
3859             goto fail;
3860         }
3861         vd->tlscreds = (QCryptoTLSCreds *)
3862             object_dynamic_cast(creds,
3863                                 TYPE_QCRYPTO_TLS_CREDS);
3864         if (!vd->tlscreds) {
3865             error_setg(errp, "Object with id '%s' is not TLS credentials",
3866                        credid);
3867             goto fail;
3868         }
3869         object_ref(OBJECT(vd->tlscreds));
3870 
3871         if (vd->tlscreds->endpoint != QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) {
3872             error_setg(errp,
3873                        "Expecting TLS credentials with a server endpoint");
3874             goto fail;
3875         }
3876     }
3877     if (qemu_opt_get(opts, "acl")) {
3878         error_report("The 'acl' option to -vnc is deprecated. "
3879                      "Please use the 'tls-authz' and 'sasl-authz' "
3880                      "options instead");
3881     }
3882     acl = qemu_opt_get_bool(opts, "acl", false);
3883     tlsauthz = qemu_opt_get(opts, "tls-authz");
3884     if (acl && tlsauthz) {
3885         error_setg(errp, "'acl' option is mutually exclusive with the "
3886                    "'tls-authz' option");
3887         goto fail;
3888     }
3889     if (tlsauthz && !vd->tlscreds) {
3890         error_setg(errp, "'tls-authz' provided but TLS is not enabled");
3891         goto fail;
3892     }
3893 
3894     saslauthz = qemu_opt_get(opts, "sasl-authz");
3895     if (acl && saslauthz) {
3896         error_setg(errp, "'acl' option is mutually exclusive with the "
3897                    "'sasl-authz' option");
3898         goto fail;
3899     }
3900     if (saslauthz && !sasl) {
3901         error_setg(errp, "'sasl-authz' provided but SASL auth is not enabled");
3902         goto fail;
3903     }
3904 
3905     share = qemu_opt_get(opts, "share");
3906     if (share) {
3907         if (strcmp(share, "ignore") == 0) {
3908             vd->share_policy = VNC_SHARE_POLICY_IGNORE;
3909         } else if (strcmp(share, "allow-exclusive") == 0) {
3910             vd->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
3911         } else if (strcmp(share, "force-shared") == 0) {
3912             vd->share_policy = VNC_SHARE_POLICY_FORCE_SHARED;
3913         } else {
3914             error_setg(errp, "unknown vnc share= option");
3915             goto fail;
3916         }
3917     } else {
3918         vd->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
3919     }
3920     vd->connections_limit = qemu_opt_get_number(opts, "connections", 32);
3921 
3922 #ifdef CONFIG_VNC_JPEG
3923     vd->lossy = qemu_opt_get_bool(opts, "lossy", false);
3924 #endif
3925     vd->non_adaptive = qemu_opt_get_bool(opts, "non-adaptive", false);
3926     /* adaptive updates are only used with tight encoding and
3927      * if lossy updates are enabled so we can disable all the
3928      * calculations otherwise */
3929     if (!vd->lossy) {
3930         vd->non_adaptive = true;
3931     }
3932 
3933     if (tlsauthz) {
3934         vd->tlsauthzid = g_strdup(tlsauthz);
3935     } else if (acl) {
3936         if (strcmp(vd->id, "default") == 0) {
3937             vd->tlsauthzid = g_strdup("vnc.x509dname");
3938         } else {
3939             vd->tlsauthzid = g_strdup_printf("vnc.%s.x509dname", vd->id);
3940         }
3941         vd->tlsauthz = QAUTHZ(qauthz_list_new(vd->tlsauthzid,
3942                                               QAUTHZ_LIST_POLICY_DENY,
3943                                               &error_abort));
3944     }
3945 #ifdef CONFIG_VNC_SASL
3946     if (sasl) {
3947         if (saslauthz) {
3948             vd->sasl.authzid = g_strdup(saslauthz);
3949         } else if (acl) {
3950             if (strcmp(vd->id, "default") == 0) {
3951                 vd->sasl.authzid = g_strdup("vnc.username");
3952             } else {
3953                 vd->sasl.authzid = g_strdup_printf("vnc.%s.username", vd->id);
3954             }
3955             vd->sasl.authz = QAUTHZ(qauthz_list_new(vd->sasl.authzid,
3956                                                     QAUTHZ_LIST_POLICY_DENY,
3957                                                     &error_abort));
3958         }
3959     }
3960 #endif
3961 
3962     if (vnc_display_setup_auth(&vd->auth, &vd->subauth,
3963                                vd->tlscreds, password,
3964                                sasl, false, errp) < 0) {
3965         goto fail;
3966     }
3967     trace_vnc_auth_init(vd, 0, vd->auth, vd->subauth);
3968 
3969     if (vnc_display_setup_auth(&vd->ws_auth, &vd->ws_subauth,
3970                                vd->tlscreds, password,
3971                                sasl, true, errp) < 0) {
3972         goto fail;
3973     }
3974     trace_vnc_auth_init(vd, 1, vd->ws_auth, vd->ws_subauth);
3975 
3976 #ifdef CONFIG_VNC_SASL
3977     if (sasl) {
3978         int saslErr = sasl_server_init(NULL, "qemu");
3979 
3980         if (saslErr != SASL_OK) {
3981             error_setg(errp, "Failed to initialize SASL auth: %s",
3982                        sasl_errstring(saslErr, NULL, NULL));
3983             goto fail;
3984         }
3985     }
3986 #endif
3987     vd->lock_key_sync = lock_key_sync;
3988     if (lock_key_sync) {
3989         vd->led = qemu_add_led_event_handler(kbd_leds, vd);
3990     }
3991     vd->ledstate = 0;
3992 
3993     device_id = qemu_opt_get(opts, "display");
3994     if (device_id) {
3995         int head = qemu_opt_get_number(opts, "head", 0);
3996         Error *err = NULL;
3997 
3998         con = qemu_console_lookup_by_device_name(device_id, head, &err);
3999         if (err) {
4000             error_propagate(errp, err);
4001             goto fail;
4002         }
4003     } else {
4004         con = NULL;
4005     }
4006 
4007     if (con != vd->dcl.con) {
4008         qkbd_state_free(vd->kbd);
4009         unregister_displaychangelistener(&vd->dcl);
4010         vd->dcl.con = con;
4011         register_displaychangelistener(&vd->dcl);
4012         vd->kbd = qkbd_state_init(vd->dcl.con);
4013     }
4014     qkbd_state_set_delay(vd->kbd, key_delay_ms);
4015 
4016     if (saddr == NULL) {
4017         goto cleanup;
4018     }
4019 
4020     if (reverse) {
4021         if (vnc_display_connect(vd, saddr, nsaddr, wsaddr, nwsaddr, errp) < 0) {
4022             goto fail;
4023         }
4024     } else {
4025         if (vnc_display_listen(vd, saddr, nsaddr, wsaddr, nwsaddr, errp) < 0) {
4026             goto fail;
4027         }
4028     }
4029 
4030     if (qemu_opt_get(opts, "to")) {
4031         vnc_display_print_local_addr(vd);
4032     }
4033 
4034  cleanup:
4035     vnc_free_addresses(&saddr, &nsaddr);
4036     vnc_free_addresses(&wsaddr, &nwsaddr);
4037     return;
4038 
4039 fail:
4040     vnc_display_close(vd);
4041     goto cleanup;
4042 }
4043 
4044 void vnc_display_add_client(const char *id, int csock, bool skipauth)
4045 {
4046     VncDisplay *vd = vnc_display_find(id);
4047     QIOChannelSocket *sioc;
4048 
4049     if (!vd) {
4050         return;
4051     }
4052 
4053     sioc = qio_channel_socket_new_fd(csock, NULL);
4054     if (sioc) {
4055         qio_channel_set_name(QIO_CHANNEL(sioc), "vnc-server");
4056         vnc_connect(vd, sioc, skipauth, false);
4057         object_unref(OBJECT(sioc));
4058     }
4059 }
4060 
4061 static void vnc_auto_assign_id(QemuOptsList *olist, QemuOpts *opts)
4062 {
4063     int i = 2;
4064     char *id;
4065 
4066     id = g_strdup("default");
4067     while (qemu_opts_find(olist, id)) {
4068         g_free(id);
4069         id = g_strdup_printf("vnc%d", i++);
4070     }
4071     qemu_opts_set_id(opts, id);
4072 }
4073 
4074 QemuOpts *vnc_parse(const char *str, Error **errp)
4075 {
4076     QemuOptsList *olist = qemu_find_opts("vnc");
4077     QemuOpts *opts = qemu_opts_parse(olist, str, true, errp);
4078     const char *id;
4079 
4080     if (!opts) {
4081         return NULL;
4082     }
4083 
4084     id = qemu_opts_id(opts);
4085     if (!id) {
4086         /* auto-assign id if not present */
4087         vnc_auto_assign_id(olist, opts);
4088     }
4089     return opts;
4090 }
4091 
4092 int vnc_init_func(void *opaque, QemuOpts *opts, Error **errp)
4093 {
4094     Error *local_err = NULL;
4095     char *id = (char *)qemu_opts_id(opts);
4096 
4097     assert(id);
4098     vnc_display_init(id, &local_err);
4099     if (local_err) {
4100         error_propagate(errp, local_err);
4101         return -1;
4102     }
4103     vnc_display_open(id, &local_err);
4104     if (local_err != NULL) {
4105         error_propagate(errp, local_err);
4106         return -1;
4107     }
4108     return 0;
4109 }
4110 
4111 static void vnc_register_config(void)
4112 {
4113     qemu_add_opts(&qemu_vnc_opts);
4114 }
4115 opts_init(vnc_register_config);
4116