xref: /openbmc/qemu/ui/vnc.c (revision fee5b753)
1 /*
2  * QEMU VNC display driver
3  *
4  * Copyright (C) 2006 Anthony Liguori <anthony@codemonkey.ws>
5  * Copyright (C) 2006 Fabrice Bellard
6  * Copyright (C) 2009 Red Hat, Inc
7  *
8  * Permission is hereby granted, free of charge, to any person obtaining a copy
9  * of this software and associated documentation files (the "Software"), to deal
10  * in the Software without restriction, including without limitation the rights
11  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
12  * copies of the Software, and to permit persons to whom the Software is
13  * furnished to do so, subject to the following conditions:
14  *
15  * The above copyright notice and this permission notice shall be included in
16  * all copies or substantial portions of the Software.
17  *
18  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
19  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
20  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
21  * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
22  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
23  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
24  * THE SOFTWARE.
25  */
26 
27 #include "qemu/osdep.h"
28 #include "vnc.h"
29 #include "vnc-jobs.h"
30 #include "trace.h"
31 #include "hw/qdev.h"
32 #include "sysemu/sysemu.h"
33 #include "qemu/error-report.h"
34 #include "qemu/sockets.h"
35 #include "qemu/timer.h"
36 #include "qemu/acl.h"
37 #include "qemu/config-file.h"
38 #include "qapi/qmp/qerror.h"
39 #include "qapi/qmp/types.h"
40 #include "qmp-commands.h"
41 #include "ui/input.h"
42 #include "qapi-event.h"
43 #include "crypto/hash.h"
44 #include "crypto/tlscredsanon.h"
45 #include "crypto/tlscredsx509.h"
46 #include "qom/object_interfaces.h"
47 
48 #define VNC_REFRESH_INTERVAL_BASE GUI_REFRESH_INTERVAL_DEFAULT
49 #define VNC_REFRESH_INTERVAL_INC  50
50 #define VNC_REFRESH_INTERVAL_MAX  GUI_REFRESH_INTERVAL_IDLE
51 static const struct timeval VNC_REFRESH_STATS = { 0, 500000 };
52 static const struct timeval VNC_REFRESH_LOSSY = { 2, 0 };
53 
54 #include "vnc_keysym.h"
55 #include "crypto/cipher.h"
56 
57 static QTAILQ_HEAD(, VncDisplay) vnc_displays =
58     QTAILQ_HEAD_INITIALIZER(vnc_displays);
59 
60 static int vnc_cursor_define(VncState *vs);
61 static void vnc_release_modifiers(VncState *vs);
62 
63 static void vnc_set_share_mode(VncState *vs, VncShareMode mode)
64 {
65 #ifdef _VNC_DEBUG
66     static const char *mn[] = {
67         [0]                           = "undefined",
68         [VNC_SHARE_MODE_CONNECTING]   = "connecting",
69         [VNC_SHARE_MODE_SHARED]       = "shared",
70         [VNC_SHARE_MODE_EXCLUSIVE]    = "exclusive",
71         [VNC_SHARE_MODE_DISCONNECTED] = "disconnected",
72     };
73     fprintf(stderr, "%s/%p: %s -> %s\n", __func__,
74             vs->ioc, mn[vs->share_mode], mn[mode]);
75 #endif
76 
77     switch (vs->share_mode) {
78     case VNC_SHARE_MODE_CONNECTING:
79         vs->vd->num_connecting--;
80         break;
81     case VNC_SHARE_MODE_SHARED:
82         vs->vd->num_shared--;
83         break;
84     case VNC_SHARE_MODE_EXCLUSIVE:
85         vs->vd->num_exclusive--;
86         break;
87     default:
88         break;
89     }
90 
91     vs->share_mode = mode;
92 
93     switch (vs->share_mode) {
94     case VNC_SHARE_MODE_CONNECTING:
95         vs->vd->num_connecting++;
96         break;
97     case VNC_SHARE_MODE_SHARED:
98         vs->vd->num_shared++;
99         break;
100     case VNC_SHARE_MODE_EXCLUSIVE:
101         vs->vd->num_exclusive++;
102         break;
103     default:
104         break;
105     }
106 }
107 
108 
109 static void vnc_init_basic_info(SocketAddress *addr,
110                                 VncBasicInfo *info,
111                                 Error **errp)
112 {
113     switch (addr->type) {
114     case SOCKET_ADDRESS_KIND_INET:
115         info->host = g_strdup(addr->u.inet->host);
116         info->service = g_strdup(addr->u.inet->port);
117         if (addr->u.inet->ipv6) {
118             info->family = NETWORK_ADDRESS_FAMILY_IPV6;
119         } else {
120             info->family = NETWORK_ADDRESS_FAMILY_IPV4;
121         }
122         break;
123 
124     case SOCKET_ADDRESS_KIND_UNIX:
125         info->host = g_strdup("");
126         info->service = g_strdup(addr->u.q_unix->path);
127         info->family = NETWORK_ADDRESS_FAMILY_UNIX;
128         break;
129 
130     default:
131         error_setg(errp, "Unsupported socket kind %d",
132                    addr->type);
133         break;
134     }
135 
136     return;
137 }
138 
139 static void vnc_init_basic_info_from_server_addr(QIOChannelSocket *ioc,
140                                                  VncBasicInfo *info,
141                                                  Error **errp)
142 {
143     SocketAddress *addr = NULL;
144 
145     addr = qio_channel_socket_get_local_address(ioc, errp);
146     if (!addr) {
147         return;
148     }
149 
150     vnc_init_basic_info(addr, info, errp);
151     qapi_free_SocketAddress(addr);
152 }
153 
154 static void vnc_init_basic_info_from_remote_addr(QIOChannelSocket *ioc,
155                                                  VncBasicInfo *info,
156                                                  Error **errp)
157 {
158     SocketAddress *addr = NULL;
159 
160     addr = qio_channel_socket_get_remote_address(ioc, errp);
161     if (!addr) {
162         return;
163     }
164 
165     vnc_init_basic_info(addr, info, errp);
166     qapi_free_SocketAddress(addr);
167 }
168 
169 static const char *vnc_auth_name(VncDisplay *vd) {
170     switch (vd->auth) {
171     case VNC_AUTH_INVALID:
172         return "invalid";
173     case VNC_AUTH_NONE:
174         return "none";
175     case VNC_AUTH_VNC:
176         return "vnc";
177     case VNC_AUTH_RA2:
178         return "ra2";
179     case VNC_AUTH_RA2NE:
180         return "ra2ne";
181     case VNC_AUTH_TIGHT:
182         return "tight";
183     case VNC_AUTH_ULTRA:
184         return "ultra";
185     case VNC_AUTH_TLS:
186         return "tls";
187     case VNC_AUTH_VENCRYPT:
188         switch (vd->subauth) {
189         case VNC_AUTH_VENCRYPT_PLAIN:
190             return "vencrypt+plain";
191         case VNC_AUTH_VENCRYPT_TLSNONE:
192             return "vencrypt+tls+none";
193         case VNC_AUTH_VENCRYPT_TLSVNC:
194             return "vencrypt+tls+vnc";
195         case VNC_AUTH_VENCRYPT_TLSPLAIN:
196             return "vencrypt+tls+plain";
197         case VNC_AUTH_VENCRYPT_X509NONE:
198             return "vencrypt+x509+none";
199         case VNC_AUTH_VENCRYPT_X509VNC:
200             return "vencrypt+x509+vnc";
201         case VNC_AUTH_VENCRYPT_X509PLAIN:
202             return "vencrypt+x509+plain";
203         case VNC_AUTH_VENCRYPT_TLSSASL:
204             return "vencrypt+tls+sasl";
205         case VNC_AUTH_VENCRYPT_X509SASL:
206             return "vencrypt+x509+sasl";
207         default:
208             return "vencrypt";
209         }
210     case VNC_AUTH_SASL:
211         return "sasl";
212     }
213     return "unknown";
214 }
215 
216 static VncServerInfo *vnc_server_info_get(VncDisplay *vd)
217 {
218     VncServerInfo *info;
219     Error *err = NULL;
220 
221     info = g_malloc(sizeof(*info));
222     vnc_init_basic_info_from_server_addr(vd->lsock,
223                                          qapi_VncServerInfo_base(info), &err);
224     info->has_auth = true;
225     info->auth = g_strdup(vnc_auth_name(vd));
226     if (err) {
227         qapi_free_VncServerInfo(info);
228         info = NULL;
229         error_free(err);
230     }
231     return info;
232 }
233 
234 static void vnc_client_cache_auth(VncState *client)
235 {
236     if (!client->info) {
237         return;
238     }
239 
240     if (client->tls) {
241         client->info->x509_dname =
242             qcrypto_tls_session_get_peer_name(client->tls);
243         client->info->has_x509_dname =
244             client->info->x509_dname != NULL;
245     }
246 #ifdef CONFIG_VNC_SASL
247     if (client->sasl.conn &&
248         client->sasl.username) {
249         client->info->has_sasl_username = true;
250         client->info->sasl_username = g_strdup(client->sasl.username);
251     }
252 #endif
253 }
254 
255 static void vnc_client_cache_addr(VncState *client)
256 {
257     Error *err = NULL;
258 
259     client->info = g_malloc0(sizeof(*client->info));
260     vnc_init_basic_info_from_remote_addr(client->sioc,
261                                          qapi_VncClientInfo_base(client->info),
262                                          &err);
263     if (err) {
264         qapi_free_VncClientInfo(client->info);
265         client->info = NULL;
266         error_free(err);
267     }
268 }
269 
270 static void vnc_qmp_event(VncState *vs, QAPIEvent event)
271 {
272     VncServerInfo *si;
273 
274     if (!vs->info) {
275         return;
276     }
277 
278     si = vnc_server_info_get(vs->vd);
279     if (!si) {
280         return;
281     }
282 
283     switch (event) {
284     case QAPI_EVENT_VNC_CONNECTED:
285         qapi_event_send_vnc_connected(si, qapi_VncClientInfo_base(vs->info),
286                                       &error_abort);
287         break;
288     case QAPI_EVENT_VNC_INITIALIZED:
289         qapi_event_send_vnc_initialized(si, vs->info, &error_abort);
290         break;
291     case QAPI_EVENT_VNC_DISCONNECTED:
292         qapi_event_send_vnc_disconnected(si, vs->info, &error_abort);
293         break;
294     default:
295         break;
296     }
297 
298     qapi_free_VncServerInfo(si);
299 }
300 
301 static VncClientInfo *qmp_query_vnc_client(const VncState *client)
302 {
303     VncClientInfo *info;
304     Error *err = NULL;
305 
306     info = g_malloc0(sizeof(*info));
307 
308     vnc_init_basic_info_from_remote_addr(client->sioc,
309                                          qapi_VncClientInfo_base(info),
310                                          &err);
311     if (err) {
312         error_free(err);
313         qapi_free_VncClientInfo(info);
314         return NULL;
315     }
316 
317     info->websocket = client->websocket;
318 
319     if (client->tls) {
320         info->x509_dname = qcrypto_tls_session_get_peer_name(client->tls);
321         info->has_x509_dname = info->x509_dname != NULL;
322     }
323 #ifdef CONFIG_VNC_SASL
324     if (client->sasl.conn && client->sasl.username) {
325         info->has_sasl_username = true;
326         info->sasl_username = g_strdup(client->sasl.username);
327     }
328 #endif
329 
330     return info;
331 }
332 
333 static VncDisplay *vnc_display_find(const char *id)
334 {
335     VncDisplay *vd;
336 
337     if (id == NULL) {
338         return QTAILQ_FIRST(&vnc_displays);
339     }
340     QTAILQ_FOREACH(vd, &vnc_displays, next) {
341         if (strcmp(id, vd->id) == 0) {
342             return vd;
343         }
344     }
345     return NULL;
346 }
347 
348 static VncClientInfoList *qmp_query_client_list(VncDisplay *vd)
349 {
350     VncClientInfoList *cinfo, *prev = NULL;
351     VncState *client;
352 
353     QTAILQ_FOREACH(client, &vd->clients, next) {
354         cinfo = g_new0(VncClientInfoList, 1);
355         cinfo->value = qmp_query_vnc_client(client);
356         cinfo->next = prev;
357         prev = cinfo;
358     }
359     return prev;
360 }
361 
362 VncInfo *qmp_query_vnc(Error **errp)
363 {
364     VncInfo *info = g_malloc0(sizeof(*info));
365     VncDisplay *vd = vnc_display_find(NULL);
366     SocketAddress *addr = NULL;
367 
368     if (vd == NULL || !vd->enabled) {
369         info->enabled = false;
370     } else {
371         info->enabled = true;
372 
373         /* for compatibility with the original command */
374         info->has_clients = true;
375         info->clients = qmp_query_client_list(vd);
376 
377         if (vd->lsock == NULL) {
378             return info;
379         }
380 
381         addr = qio_channel_socket_get_local_address(vd->lsock, errp);
382         if (!addr) {
383             goto out_error;
384         }
385 
386         switch (addr->type) {
387         case SOCKET_ADDRESS_KIND_INET:
388             info->host = g_strdup(addr->u.inet->host);
389             info->service = g_strdup(addr->u.inet->port);
390             if (addr->u.inet->ipv6) {
391                 info->family = NETWORK_ADDRESS_FAMILY_IPV6;
392             } else {
393                 info->family = NETWORK_ADDRESS_FAMILY_IPV4;
394             }
395             break;
396 
397         case SOCKET_ADDRESS_KIND_UNIX:
398             info->host = g_strdup("");
399             info->service = g_strdup(addr->u.q_unix->path);
400             info->family = NETWORK_ADDRESS_FAMILY_UNIX;
401             break;
402 
403         default:
404             error_setg(errp, "Unsupported socket kind %d",
405                        addr->type);
406             goto out_error;
407         }
408 
409         info->has_host = true;
410         info->has_service = true;
411         info->has_family = true;
412 
413         info->has_auth = true;
414         info->auth = g_strdup(vnc_auth_name(vd));
415     }
416 
417     qapi_free_SocketAddress(addr);
418     return info;
419 
420 out_error:
421     qapi_free_SocketAddress(addr);
422     qapi_free_VncInfo(info);
423     return NULL;
424 }
425 
426 static VncBasicInfoList *qmp_query_server_entry(QIOChannelSocket *ioc,
427                                                 bool websocket,
428                                                 VncBasicInfoList *prev)
429 {
430     VncBasicInfoList *list;
431     VncBasicInfo *info;
432     Error *err = NULL;
433     SocketAddress *addr;
434 
435     addr = qio_channel_socket_get_local_address(ioc, &err);
436     if (!addr) {
437         error_free(err);
438         return prev;
439     }
440 
441     info = g_new0(VncBasicInfo, 1);
442     vnc_init_basic_info(addr, info, &err);
443     qapi_free_SocketAddress(addr);
444     if (err) {
445         qapi_free_VncBasicInfo(info);
446         error_free(err);
447         return prev;
448     }
449     info->websocket = websocket;
450 
451     list = g_new0(VncBasicInfoList, 1);
452     list->value = info;
453     list->next = prev;
454     return list;
455 }
456 
457 static void qmp_query_auth(VncDisplay *vd, VncInfo2 *info)
458 {
459     switch (vd->auth) {
460     case VNC_AUTH_VNC:
461         info->auth = VNC_PRIMARY_AUTH_VNC;
462         break;
463     case VNC_AUTH_RA2:
464         info->auth = VNC_PRIMARY_AUTH_RA2;
465         break;
466     case VNC_AUTH_RA2NE:
467         info->auth = VNC_PRIMARY_AUTH_RA2NE;
468         break;
469     case VNC_AUTH_TIGHT:
470         info->auth = VNC_PRIMARY_AUTH_TIGHT;
471         break;
472     case VNC_AUTH_ULTRA:
473         info->auth = VNC_PRIMARY_AUTH_ULTRA;
474         break;
475     case VNC_AUTH_TLS:
476         info->auth = VNC_PRIMARY_AUTH_TLS;
477         break;
478     case VNC_AUTH_VENCRYPT:
479         info->auth = VNC_PRIMARY_AUTH_VENCRYPT;
480         info->has_vencrypt = true;
481         switch (vd->subauth) {
482         case VNC_AUTH_VENCRYPT_PLAIN:
483             info->vencrypt = VNC_VENCRYPT_SUB_AUTH_PLAIN;
484             break;
485         case VNC_AUTH_VENCRYPT_TLSNONE:
486             info->vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_NONE;
487             break;
488         case VNC_AUTH_VENCRYPT_TLSVNC:
489             info->vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_VNC;
490             break;
491         case VNC_AUTH_VENCRYPT_TLSPLAIN:
492             info->vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_PLAIN;
493             break;
494         case VNC_AUTH_VENCRYPT_X509NONE:
495             info->vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_NONE;
496             break;
497         case VNC_AUTH_VENCRYPT_X509VNC:
498             info->vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_VNC;
499             break;
500         case VNC_AUTH_VENCRYPT_X509PLAIN:
501             info->vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_PLAIN;
502             break;
503         case VNC_AUTH_VENCRYPT_TLSSASL:
504             info->vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_SASL;
505             break;
506         case VNC_AUTH_VENCRYPT_X509SASL:
507             info->vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_SASL;
508             break;
509         default:
510             info->has_vencrypt = false;
511             break;
512         }
513         break;
514     case VNC_AUTH_SASL:
515         info->auth = VNC_PRIMARY_AUTH_SASL;
516         break;
517     case VNC_AUTH_NONE:
518     default:
519         info->auth = VNC_PRIMARY_AUTH_NONE;
520         break;
521     }
522 }
523 
524 VncInfo2List *qmp_query_vnc_servers(Error **errp)
525 {
526     VncInfo2List *item, *prev = NULL;
527     VncInfo2 *info;
528     VncDisplay *vd;
529     DeviceState *dev;
530 
531     QTAILQ_FOREACH(vd, &vnc_displays, next) {
532         info = g_new0(VncInfo2, 1);
533         info->id = g_strdup(vd->id);
534         info->clients = qmp_query_client_list(vd);
535         qmp_query_auth(vd, info);
536         if (vd->dcl.con) {
537             dev = DEVICE(object_property_get_link(OBJECT(vd->dcl.con),
538                                                   "device", NULL));
539             info->has_display = true;
540             info->display = g_strdup(dev->id);
541         }
542         if (vd->lsock != NULL) {
543             info->server = qmp_query_server_entry(
544                 vd->lsock, false, info->server);
545         }
546         if (vd->lwebsock != NULL) {
547             info->server = qmp_query_server_entry(
548                 vd->lwebsock, true, info->server);
549         }
550 
551         item = g_new0(VncInfo2List, 1);
552         item->value = info;
553         item->next = prev;
554         prev = item;
555     }
556     return prev;
557 }
558 
559 /* TODO
560    1) Get the queue working for IO.
561    2) there is some weirdness when using the -S option (the screen is grey
562       and not totally invalidated
563    3) resolutions > 1024
564 */
565 
566 static int vnc_update_client(VncState *vs, int has_dirty, bool sync);
567 static void vnc_disconnect_start(VncState *vs);
568 
569 static void vnc_colordepth(VncState *vs);
570 static void framebuffer_update_request(VncState *vs, int incremental,
571                                        int x_position, int y_position,
572                                        int w, int h);
573 static void vnc_refresh(DisplayChangeListener *dcl);
574 static int vnc_refresh_server_surface(VncDisplay *vd);
575 
576 static int vnc_width(VncDisplay *vd)
577 {
578     return MIN(VNC_MAX_WIDTH, ROUND_UP(surface_width(vd->ds),
579                                        VNC_DIRTY_PIXELS_PER_BIT));
580 }
581 
582 static int vnc_height(VncDisplay *vd)
583 {
584     return MIN(VNC_MAX_HEIGHT, surface_height(vd->ds));
585 }
586 
587 static void vnc_set_area_dirty(DECLARE_BITMAP(dirty[VNC_MAX_HEIGHT],
588                                VNC_MAX_WIDTH / VNC_DIRTY_PIXELS_PER_BIT),
589                                VncDisplay *vd,
590                                int x, int y, int w, int h)
591 {
592     int width = vnc_width(vd);
593     int height = vnc_height(vd);
594 
595     /* this is needed this to ensure we updated all affected
596      * blocks if x % VNC_DIRTY_PIXELS_PER_BIT != 0 */
597     w += (x % VNC_DIRTY_PIXELS_PER_BIT);
598     x -= (x % VNC_DIRTY_PIXELS_PER_BIT);
599 
600     x = MIN(x, width);
601     y = MIN(y, height);
602     w = MIN(x + w, width) - x;
603     h = MIN(y + h, height);
604 
605     for (; y < h; y++) {
606         bitmap_set(dirty[y], x / VNC_DIRTY_PIXELS_PER_BIT,
607                    DIV_ROUND_UP(w, VNC_DIRTY_PIXELS_PER_BIT));
608     }
609 }
610 
611 static void vnc_dpy_update(DisplayChangeListener *dcl,
612                            int x, int y, int w, int h)
613 {
614     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
615     struct VncSurface *s = &vd->guest;
616 
617     vnc_set_area_dirty(s->dirty, vd, x, y, w, h);
618 }
619 
620 void vnc_framebuffer_update(VncState *vs, int x, int y, int w, int h,
621                             int32_t encoding)
622 {
623     vnc_write_u16(vs, x);
624     vnc_write_u16(vs, y);
625     vnc_write_u16(vs, w);
626     vnc_write_u16(vs, h);
627 
628     vnc_write_s32(vs, encoding);
629 }
630 
631 
632 static void vnc_desktop_resize(VncState *vs)
633 {
634     if (vs->ioc == NULL || !vnc_has_feature(vs, VNC_FEATURE_RESIZE)) {
635         return;
636     }
637     if (vs->client_width == pixman_image_get_width(vs->vd->server) &&
638         vs->client_height == pixman_image_get_height(vs->vd->server)) {
639         return;
640     }
641     vs->client_width = pixman_image_get_width(vs->vd->server);
642     vs->client_height = pixman_image_get_height(vs->vd->server);
643     vnc_lock_output(vs);
644     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
645     vnc_write_u8(vs, 0);
646     vnc_write_u16(vs, 1); /* number of rects */
647     vnc_framebuffer_update(vs, 0, 0, vs->client_width, vs->client_height,
648                            VNC_ENCODING_DESKTOPRESIZE);
649     vnc_unlock_output(vs);
650     vnc_flush(vs);
651 }
652 
653 static void vnc_abort_display_jobs(VncDisplay *vd)
654 {
655     VncState *vs;
656 
657     QTAILQ_FOREACH(vs, &vd->clients, next) {
658         vnc_lock_output(vs);
659         vs->abort = true;
660         vnc_unlock_output(vs);
661     }
662     QTAILQ_FOREACH(vs, &vd->clients, next) {
663         vnc_jobs_join(vs);
664     }
665     QTAILQ_FOREACH(vs, &vd->clients, next) {
666         vnc_lock_output(vs);
667         vs->abort = false;
668         vnc_unlock_output(vs);
669     }
670 }
671 
672 int vnc_server_fb_stride(VncDisplay *vd)
673 {
674     return pixman_image_get_stride(vd->server);
675 }
676 
677 void *vnc_server_fb_ptr(VncDisplay *vd, int x, int y)
678 {
679     uint8_t *ptr;
680 
681     ptr  = (uint8_t *)pixman_image_get_data(vd->server);
682     ptr += y * vnc_server_fb_stride(vd);
683     ptr += x * VNC_SERVER_FB_BYTES;
684     return ptr;
685 }
686 
687 static void vnc_update_server_surface(VncDisplay *vd)
688 {
689     qemu_pixman_image_unref(vd->server);
690     vd->server = NULL;
691 
692     if (QTAILQ_EMPTY(&vd->clients)) {
693         return;
694     }
695 
696     vd->server = pixman_image_create_bits(VNC_SERVER_FB_FORMAT,
697                                           vnc_width(vd),
698                                           vnc_height(vd),
699                                           NULL, 0);
700 }
701 
702 static void vnc_dpy_switch(DisplayChangeListener *dcl,
703                            DisplaySurface *surface)
704 {
705     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
706     VncState *vs;
707     int width, height;
708 
709     vnc_abort_display_jobs(vd);
710     vd->ds = surface;
711 
712     /* server surface */
713     vnc_update_server_surface(vd);
714 
715     /* guest surface */
716     qemu_pixman_image_unref(vd->guest.fb);
717     vd->guest.fb = pixman_image_ref(surface->image);
718     vd->guest.format = surface->format;
719     width = vnc_width(vd);
720     height = vnc_height(vd);
721     memset(vd->guest.dirty, 0x00, sizeof(vd->guest.dirty));
722     vnc_set_area_dirty(vd->guest.dirty, vd, 0, 0,
723                        width, height);
724 
725     QTAILQ_FOREACH(vs, &vd->clients, next) {
726         vnc_colordepth(vs);
727         vnc_desktop_resize(vs);
728         if (vs->vd->cursor) {
729             vnc_cursor_define(vs);
730         }
731         memset(vs->dirty, 0x00, sizeof(vs->dirty));
732         vnc_set_area_dirty(vs->dirty, vd, 0, 0,
733                            width, height);
734     }
735 }
736 
737 /* fastest code */
738 static void vnc_write_pixels_copy(VncState *vs,
739                                   void *pixels, int size)
740 {
741     vnc_write(vs, pixels, size);
742 }
743 
744 /* slowest but generic code. */
745 void vnc_convert_pixel(VncState *vs, uint8_t *buf, uint32_t v)
746 {
747     uint8_t r, g, b;
748 
749 #if VNC_SERVER_FB_FORMAT == PIXMAN_FORMAT(32, PIXMAN_TYPE_ARGB, 0, 8, 8, 8)
750     r = (((v & 0x00ff0000) >> 16) << vs->client_pf.rbits) >> 8;
751     g = (((v & 0x0000ff00) >>  8) << vs->client_pf.gbits) >> 8;
752     b = (((v & 0x000000ff) >>  0) << vs->client_pf.bbits) >> 8;
753 #else
754 # error need some bits here if you change VNC_SERVER_FB_FORMAT
755 #endif
756     v = (r << vs->client_pf.rshift) |
757         (g << vs->client_pf.gshift) |
758         (b << vs->client_pf.bshift);
759     switch (vs->client_pf.bytes_per_pixel) {
760     case 1:
761         buf[0] = v;
762         break;
763     case 2:
764         if (vs->client_be) {
765             buf[0] = v >> 8;
766             buf[1] = v;
767         } else {
768             buf[1] = v >> 8;
769             buf[0] = v;
770         }
771         break;
772     default:
773     case 4:
774         if (vs->client_be) {
775             buf[0] = v >> 24;
776             buf[1] = v >> 16;
777             buf[2] = v >> 8;
778             buf[3] = v;
779         } else {
780             buf[3] = v >> 24;
781             buf[2] = v >> 16;
782             buf[1] = v >> 8;
783             buf[0] = v;
784         }
785         break;
786     }
787 }
788 
789 static void vnc_write_pixels_generic(VncState *vs,
790                                      void *pixels1, int size)
791 {
792     uint8_t buf[4];
793 
794     if (VNC_SERVER_FB_BYTES == 4) {
795         uint32_t *pixels = pixels1;
796         int n, i;
797         n = size >> 2;
798         for (i = 0; i < n; i++) {
799             vnc_convert_pixel(vs, buf, pixels[i]);
800             vnc_write(vs, buf, vs->client_pf.bytes_per_pixel);
801         }
802     }
803 }
804 
805 int vnc_raw_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
806 {
807     int i;
808     uint8_t *row;
809     VncDisplay *vd = vs->vd;
810 
811     row = vnc_server_fb_ptr(vd, x, y);
812     for (i = 0; i < h; i++) {
813         vs->write_pixels(vs, row, w * VNC_SERVER_FB_BYTES);
814         row += vnc_server_fb_stride(vd);
815     }
816     return 1;
817 }
818 
819 int vnc_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
820 {
821     int n = 0;
822     bool encode_raw = false;
823     size_t saved_offs = vs->output.offset;
824 
825     switch(vs->vnc_encoding) {
826         case VNC_ENCODING_ZLIB:
827             n = vnc_zlib_send_framebuffer_update(vs, x, y, w, h);
828             break;
829         case VNC_ENCODING_HEXTILE:
830             vnc_framebuffer_update(vs, x, y, w, h, VNC_ENCODING_HEXTILE);
831             n = vnc_hextile_send_framebuffer_update(vs, x, y, w, h);
832             break;
833         case VNC_ENCODING_TIGHT:
834             n = vnc_tight_send_framebuffer_update(vs, x, y, w, h);
835             break;
836         case VNC_ENCODING_TIGHT_PNG:
837             n = vnc_tight_png_send_framebuffer_update(vs, x, y, w, h);
838             break;
839         case VNC_ENCODING_ZRLE:
840             n = vnc_zrle_send_framebuffer_update(vs, x, y, w, h);
841             break;
842         case VNC_ENCODING_ZYWRLE:
843             n = vnc_zywrle_send_framebuffer_update(vs, x, y, w, h);
844             break;
845         default:
846             encode_raw = true;
847             break;
848     }
849 
850     /* If the client has the same pixel format as our internal buffer and
851      * a RAW encoding would need less space fall back to RAW encoding to
852      * save bandwidth and processing power in the client. */
853     if (!encode_raw && vs->write_pixels == vnc_write_pixels_copy &&
854         12 + h * w * VNC_SERVER_FB_BYTES <= (vs->output.offset - saved_offs)) {
855         vs->output.offset = saved_offs;
856         encode_raw = true;
857     }
858 
859     if (encode_raw) {
860         vnc_framebuffer_update(vs, x, y, w, h, VNC_ENCODING_RAW);
861         n = vnc_raw_send_framebuffer_update(vs, x, y, w, h);
862     }
863 
864     return n;
865 }
866 
867 static void vnc_copy(VncState *vs, int src_x, int src_y, int dst_x, int dst_y, int w, int h)
868 {
869     /* send bitblit op to the vnc client */
870     vnc_lock_output(vs);
871     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
872     vnc_write_u8(vs, 0);
873     vnc_write_u16(vs, 1); /* number of rects */
874     vnc_framebuffer_update(vs, dst_x, dst_y, w, h, VNC_ENCODING_COPYRECT);
875     vnc_write_u16(vs, src_x);
876     vnc_write_u16(vs, src_y);
877     vnc_unlock_output(vs);
878     vnc_flush(vs);
879 }
880 
881 static void vnc_dpy_copy(DisplayChangeListener *dcl,
882                          int src_x, int src_y,
883                          int dst_x, int dst_y, int w, int h)
884 {
885     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
886     VncState *vs, *vn;
887     uint8_t *src_row;
888     uint8_t *dst_row;
889     int i, x, y, pitch, inc, w_lim, s;
890     int cmp_bytes;
891 
892     if (!vd->server) {
893         /* no client connected */
894         return;
895     }
896 
897     vnc_refresh_server_surface(vd);
898     QTAILQ_FOREACH_SAFE(vs, &vd->clients, next, vn) {
899         if (vnc_has_feature(vs, VNC_FEATURE_COPYRECT)) {
900             vs->force_update = 1;
901             vnc_update_client(vs, 1, true);
902             /* vs might be free()ed here */
903         }
904     }
905 
906     /* do bitblit op on the local surface too */
907     pitch = vnc_server_fb_stride(vd);
908     src_row = vnc_server_fb_ptr(vd, src_x, src_y);
909     dst_row = vnc_server_fb_ptr(vd, dst_x, dst_y);
910     y = dst_y;
911     inc = 1;
912     if (dst_y > src_y) {
913         /* copy backwards */
914         src_row += pitch * (h-1);
915         dst_row += pitch * (h-1);
916         pitch = -pitch;
917         y = dst_y + h - 1;
918         inc = -1;
919     }
920     w_lim = w - (VNC_DIRTY_PIXELS_PER_BIT - (dst_x % VNC_DIRTY_PIXELS_PER_BIT));
921     if (w_lim < 0) {
922         w_lim = w;
923     } else {
924         w_lim = w - (w_lim % VNC_DIRTY_PIXELS_PER_BIT);
925     }
926     for (i = 0; i < h; i++) {
927         for (x = 0; x <= w_lim;
928                 x += s, src_row += cmp_bytes, dst_row += cmp_bytes) {
929             if (x == w_lim) {
930                 if ((s = w - w_lim) == 0)
931                     break;
932             } else if (!x) {
933                 s = (VNC_DIRTY_PIXELS_PER_BIT -
934                     (dst_x % VNC_DIRTY_PIXELS_PER_BIT));
935                 s = MIN(s, w_lim);
936             } else {
937                 s = VNC_DIRTY_PIXELS_PER_BIT;
938             }
939             cmp_bytes = s * VNC_SERVER_FB_BYTES;
940             if (memcmp(src_row, dst_row, cmp_bytes) == 0)
941                 continue;
942             memmove(dst_row, src_row, cmp_bytes);
943             QTAILQ_FOREACH(vs, &vd->clients, next) {
944                 if (!vnc_has_feature(vs, VNC_FEATURE_COPYRECT)) {
945                     set_bit(((x + dst_x) / VNC_DIRTY_PIXELS_PER_BIT),
946                             vs->dirty[y]);
947                 }
948             }
949         }
950         src_row += pitch - w * VNC_SERVER_FB_BYTES;
951         dst_row += pitch - w * VNC_SERVER_FB_BYTES;
952         y += inc;
953     }
954 
955     QTAILQ_FOREACH(vs, &vd->clients, next) {
956         if (vnc_has_feature(vs, VNC_FEATURE_COPYRECT)) {
957             vnc_copy(vs, src_x, src_y, dst_x, dst_y, w, h);
958         }
959     }
960 }
961 
962 static void vnc_mouse_set(DisplayChangeListener *dcl,
963                           int x, int y, int visible)
964 {
965     /* can we ask the client(s) to move the pointer ??? */
966 }
967 
968 static int vnc_cursor_define(VncState *vs)
969 {
970     QEMUCursor *c = vs->vd->cursor;
971     int isize;
972 
973     if (vnc_has_feature(vs, VNC_FEATURE_RICH_CURSOR)) {
974         vnc_lock_output(vs);
975         vnc_write_u8(vs,  VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
976         vnc_write_u8(vs,  0);  /*  padding     */
977         vnc_write_u16(vs, 1);  /*  # of rects  */
978         vnc_framebuffer_update(vs, c->hot_x, c->hot_y, c->width, c->height,
979                                VNC_ENCODING_RICH_CURSOR);
980         isize = c->width * c->height * vs->client_pf.bytes_per_pixel;
981         vnc_write_pixels_generic(vs, c->data, isize);
982         vnc_write(vs, vs->vd->cursor_mask, vs->vd->cursor_msize);
983         vnc_unlock_output(vs);
984         return 0;
985     }
986     return -1;
987 }
988 
989 static void vnc_dpy_cursor_define(DisplayChangeListener *dcl,
990                                   QEMUCursor *c)
991 {
992     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
993     VncState *vs;
994 
995     cursor_put(vd->cursor);
996     g_free(vd->cursor_mask);
997 
998     vd->cursor = c;
999     cursor_get(vd->cursor);
1000     vd->cursor_msize = cursor_get_mono_bpl(c) * c->height;
1001     vd->cursor_mask = g_malloc0(vd->cursor_msize);
1002     cursor_get_mono_mask(c, 0, vd->cursor_mask);
1003 
1004     QTAILQ_FOREACH(vs, &vd->clients, next) {
1005         vnc_cursor_define(vs);
1006     }
1007 }
1008 
1009 static int find_and_clear_dirty_height(VncState *vs,
1010                                        int y, int last_x, int x, int height)
1011 {
1012     int h;
1013 
1014     for (h = 1; h < (height - y); h++) {
1015         if (!test_bit(last_x, vs->dirty[y + h])) {
1016             break;
1017         }
1018         bitmap_clear(vs->dirty[y + h], last_x, x - last_x);
1019     }
1020 
1021     return h;
1022 }
1023 
1024 static int vnc_update_client(VncState *vs, int has_dirty, bool sync)
1025 {
1026     vs->has_dirty += has_dirty;
1027     if (vs->need_update && vs->ioc != NULL) {
1028         VncDisplay *vd = vs->vd;
1029         VncJob *job;
1030         int y;
1031         int height, width;
1032         int n = 0;
1033 
1034         if (vs->output.offset && !vs->audio_cap && !vs->force_update)
1035             /* kernel send buffers are full -> drop frames to throttle */
1036             return 0;
1037 
1038         if (!vs->has_dirty && !vs->audio_cap && !vs->force_update)
1039             return 0;
1040 
1041         /*
1042          * Send screen updates to the vnc client using the server
1043          * surface and server dirty map.  guest surface updates
1044          * happening in parallel don't disturb us, the next pass will
1045          * send them to the client.
1046          */
1047         job = vnc_job_new(vs);
1048 
1049         height = pixman_image_get_height(vd->server);
1050         width = pixman_image_get_width(vd->server);
1051 
1052         y = 0;
1053         for (;;) {
1054             int x, h;
1055             unsigned long x2;
1056             unsigned long offset = find_next_bit((unsigned long *) &vs->dirty,
1057                                                  height * VNC_DIRTY_BPL(vs),
1058                                                  y * VNC_DIRTY_BPL(vs));
1059             if (offset == height * VNC_DIRTY_BPL(vs)) {
1060                 /* no more dirty bits */
1061                 break;
1062             }
1063             y = offset / VNC_DIRTY_BPL(vs);
1064             x = offset % VNC_DIRTY_BPL(vs);
1065             x2 = find_next_zero_bit((unsigned long *) &vs->dirty[y],
1066                                     VNC_DIRTY_BPL(vs), x);
1067             bitmap_clear(vs->dirty[y], x, x2 - x);
1068             h = find_and_clear_dirty_height(vs, y, x, x2, height);
1069             x2 = MIN(x2, width / VNC_DIRTY_PIXELS_PER_BIT);
1070             if (x2 > x) {
1071                 n += vnc_job_add_rect(job, x * VNC_DIRTY_PIXELS_PER_BIT, y,
1072                                       (x2 - x) * VNC_DIRTY_PIXELS_PER_BIT, h);
1073             }
1074             if (!x && x2 == width / VNC_DIRTY_PIXELS_PER_BIT) {
1075                 y += h;
1076                 if (y == height) {
1077                     break;
1078                 }
1079             }
1080         }
1081 
1082         vnc_job_push(job);
1083         if (sync) {
1084             vnc_jobs_join(vs);
1085         }
1086         vs->force_update = 0;
1087         vs->has_dirty = 0;
1088         return n;
1089     }
1090 
1091     if (vs->disconnecting) {
1092         vnc_disconnect_finish(vs);
1093     } else if (sync) {
1094         vnc_jobs_join(vs);
1095     }
1096 
1097     return 0;
1098 }
1099 
1100 /* audio */
1101 static void audio_capture_notify(void *opaque, audcnotification_e cmd)
1102 {
1103     VncState *vs = opaque;
1104 
1105     switch (cmd) {
1106     case AUD_CNOTIFY_DISABLE:
1107         vnc_lock_output(vs);
1108         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
1109         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
1110         vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_END);
1111         vnc_unlock_output(vs);
1112         vnc_flush(vs);
1113         break;
1114 
1115     case AUD_CNOTIFY_ENABLE:
1116         vnc_lock_output(vs);
1117         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
1118         vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
1119         vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_BEGIN);
1120         vnc_unlock_output(vs);
1121         vnc_flush(vs);
1122         break;
1123     }
1124 }
1125 
1126 static void audio_capture_destroy(void *opaque)
1127 {
1128 }
1129 
1130 static void audio_capture(void *opaque, void *buf, int size)
1131 {
1132     VncState *vs = opaque;
1133 
1134     vnc_lock_output(vs);
1135     vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
1136     vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
1137     vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_DATA);
1138     vnc_write_u32(vs, size);
1139     vnc_write(vs, buf, size);
1140     vnc_unlock_output(vs);
1141     vnc_flush(vs);
1142 }
1143 
1144 static void audio_add(VncState *vs)
1145 {
1146     struct audio_capture_ops ops;
1147 
1148     if (vs->audio_cap) {
1149         error_report("audio already running");
1150         return;
1151     }
1152 
1153     ops.notify = audio_capture_notify;
1154     ops.destroy = audio_capture_destroy;
1155     ops.capture = audio_capture;
1156 
1157     vs->audio_cap = AUD_add_capture(&vs->as, &ops, vs);
1158     if (!vs->audio_cap) {
1159         error_report("Failed to add audio capture");
1160     }
1161 }
1162 
1163 static void audio_del(VncState *vs)
1164 {
1165     if (vs->audio_cap) {
1166         AUD_del_capture(vs->audio_cap, vs);
1167         vs->audio_cap = NULL;
1168     }
1169 }
1170 
1171 static void vnc_disconnect_start(VncState *vs)
1172 {
1173     if (vs->disconnecting) {
1174         return;
1175     }
1176     vnc_set_share_mode(vs, VNC_SHARE_MODE_DISCONNECTED);
1177     if (vs->ioc_tag) {
1178         g_source_remove(vs->ioc_tag);
1179     }
1180     qio_channel_close(vs->ioc, NULL);
1181     vs->disconnecting = TRUE;
1182 }
1183 
1184 void vnc_disconnect_finish(VncState *vs)
1185 {
1186     int i;
1187 
1188     vnc_jobs_join(vs); /* Wait encoding jobs */
1189 
1190     vnc_lock_output(vs);
1191     vnc_qmp_event(vs, QAPI_EVENT_VNC_DISCONNECTED);
1192 
1193     buffer_free(&vs->input);
1194     buffer_free(&vs->output);
1195 
1196     qapi_free_VncClientInfo(vs->info);
1197 
1198     vnc_zlib_clear(vs);
1199     vnc_tight_clear(vs);
1200     vnc_zrle_clear(vs);
1201 
1202 #ifdef CONFIG_VNC_SASL
1203     vnc_sasl_client_cleanup(vs);
1204 #endif /* CONFIG_VNC_SASL */
1205     audio_del(vs);
1206     vnc_release_modifiers(vs);
1207 
1208     if (vs->initialized) {
1209         QTAILQ_REMOVE(&vs->vd->clients, vs, next);
1210         qemu_remove_mouse_mode_change_notifier(&vs->mouse_mode_notifier);
1211         if (QTAILQ_EMPTY(&vs->vd->clients)) {
1212             /* last client gone */
1213             vnc_update_server_surface(vs->vd);
1214         }
1215     }
1216 
1217     if (vs->vd->lock_key_sync)
1218         qemu_remove_led_event_handler(vs->led);
1219     vnc_unlock_output(vs);
1220 
1221     qemu_mutex_destroy(&vs->output_mutex);
1222     if (vs->bh != NULL) {
1223         qemu_bh_delete(vs->bh);
1224     }
1225     buffer_free(&vs->jobs_buffer);
1226 
1227     for (i = 0; i < VNC_STAT_ROWS; ++i) {
1228         g_free(vs->lossy_rect[i]);
1229     }
1230     g_free(vs->lossy_rect);
1231 
1232     object_unref(OBJECT(vs->ioc));
1233     vs->ioc = NULL;
1234     object_unref(OBJECT(vs->sioc));
1235     vs->sioc = NULL;
1236     g_free(vs);
1237 }
1238 
1239 ssize_t vnc_client_io_error(VncState *vs, ssize_t ret, Error **errp)
1240 {
1241     if (ret <= 0) {
1242         if (ret == 0) {
1243             VNC_DEBUG("Closing down client sock: EOF\n");
1244         } else if (ret != QIO_CHANNEL_ERR_BLOCK) {
1245             VNC_DEBUG("Closing down client sock: ret %d (%s)\n",
1246                       ret, errp ? error_get_pretty(*errp) : "Unknown");
1247         }
1248 
1249         vnc_disconnect_start(vs);
1250         if (errp) {
1251             error_free(*errp);
1252             *errp = NULL;
1253         }
1254         return 0;
1255     }
1256     return ret;
1257 }
1258 
1259 
1260 void vnc_client_error(VncState *vs)
1261 {
1262     VNC_DEBUG("Closing down client sock: protocol error\n");
1263     vnc_disconnect_start(vs);
1264 }
1265 
1266 
1267 /*
1268  * Called to write a chunk of data to the client socket. The data may
1269  * be the raw data, or may have already been encoded by SASL.
1270  * The data will be written either straight onto the socket, or
1271  * written via the GNUTLS wrappers, if TLS/SSL encryption is enabled
1272  *
1273  * NB, it is theoretically possible to have 2 layers of encryption,
1274  * both SASL, and this TLS layer. It is highly unlikely in practice
1275  * though, since SASL encryption will typically be a no-op if TLS
1276  * is active
1277  *
1278  * Returns the number of bytes written, which may be less than
1279  * the requested 'datalen' if the socket would block. Returns
1280  * -1 on error, and disconnects the client socket.
1281  */
1282 ssize_t vnc_client_write_buf(VncState *vs, const uint8_t *data, size_t datalen)
1283 {
1284     Error *err = NULL;
1285     ssize_t ret;
1286     ret = qio_channel_write(
1287         vs->ioc, (const char *)data, datalen, &err);
1288     VNC_DEBUG("Wrote wire %p %zd -> %ld\n", data, datalen, ret);
1289     return vnc_client_io_error(vs, ret, &err);
1290 }
1291 
1292 
1293 /*
1294  * Called to write buffered data to the client socket, when not
1295  * using any SASL SSF encryption layers. Will write as much data
1296  * as possible without blocking. If all buffered data is written,
1297  * will switch the FD poll() handler back to read monitoring.
1298  *
1299  * Returns the number of bytes written, which may be less than
1300  * the buffered output data if the socket would block. Returns
1301  * -1 on error, and disconnects the client socket.
1302  */
1303 static ssize_t vnc_client_write_plain(VncState *vs)
1304 {
1305     ssize_t ret;
1306 
1307 #ifdef CONFIG_VNC_SASL
1308     VNC_DEBUG("Write Plain: Pending output %p size %zd offset %zd. Wait SSF %d\n",
1309               vs->output.buffer, vs->output.capacity, vs->output.offset,
1310               vs->sasl.waitWriteSSF);
1311 
1312     if (vs->sasl.conn &&
1313         vs->sasl.runSSF &&
1314         vs->sasl.waitWriteSSF) {
1315         ret = vnc_client_write_buf(vs, vs->output.buffer, vs->sasl.waitWriteSSF);
1316         if (ret)
1317             vs->sasl.waitWriteSSF -= ret;
1318     } else
1319 #endif /* CONFIG_VNC_SASL */
1320         ret = vnc_client_write_buf(vs, vs->output.buffer, vs->output.offset);
1321     if (!ret)
1322         return 0;
1323 
1324     buffer_advance(&vs->output, ret);
1325 
1326     if (vs->output.offset == 0) {
1327         if (vs->ioc_tag) {
1328             g_source_remove(vs->ioc_tag);
1329         }
1330         vs->ioc_tag = qio_channel_add_watch(
1331             vs->ioc, G_IO_IN, vnc_client_io, vs, NULL);
1332     }
1333 
1334     return ret;
1335 }
1336 
1337 
1338 /*
1339  * First function called whenever there is data to be written to
1340  * the client socket. Will delegate actual work according to whether
1341  * SASL SSF layers are enabled (thus requiring encryption calls)
1342  */
1343 static void vnc_client_write_locked(VncState *vs)
1344 {
1345 #ifdef CONFIG_VNC_SASL
1346     if (vs->sasl.conn &&
1347         vs->sasl.runSSF &&
1348         !vs->sasl.waitWriteSSF) {
1349         vnc_client_write_sasl(vs);
1350     } else
1351 #endif /* CONFIG_VNC_SASL */
1352     {
1353         vnc_client_write_plain(vs);
1354     }
1355 }
1356 
1357 static void vnc_client_write(VncState *vs)
1358 {
1359 
1360     vnc_lock_output(vs);
1361     if (vs->output.offset) {
1362         vnc_client_write_locked(vs);
1363     } else if (vs->ioc != NULL) {
1364         if (vs->ioc_tag) {
1365             g_source_remove(vs->ioc_tag);
1366         }
1367         vs->ioc_tag = qio_channel_add_watch(
1368             vs->ioc, G_IO_IN, vnc_client_io, vs, NULL);
1369     }
1370     vnc_unlock_output(vs);
1371 }
1372 
1373 void vnc_read_when(VncState *vs, VncReadEvent *func, size_t expecting)
1374 {
1375     vs->read_handler = func;
1376     vs->read_handler_expect = expecting;
1377 }
1378 
1379 
1380 /*
1381  * Called to read a chunk of data from the client socket. The data may
1382  * be the raw data, or may need to be further decoded by SASL.
1383  * The data will be read either straight from to the socket, or
1384  * read via the GNUTLS wrappers, if TLS/SSL encryption is enabled
1385  *
1386  * NB, it is theoretically possible to have 2 layers of encryption,
1387  * both SASL, and this TLS layer. It is highly unlikely in practice
1388  * though, since SASL encryption will typically be a no-op if TLS
1389  * is active
1390  *
1391  * Returns the number of bytes read, which may be less than
1392  * the requested 'datalen' if the socket would block. Returns
1393  * -1 on error, and disconnects the client socket.
1394  */
1395 ssize_t vnc_client_read_buf(VncState *vs, uint8_t *data, size_t datalen)
1396 {
1397     ssize_t ret;
1398     Error *err = NULL;
1399     ret = qio_channel_read(
1400         vs->ioc, (char *)data, datalen, &err);
1401     VNC_DEBUG("Read wire %p %zd -> %ld\n", data, datalen, ret);
1402     return vnc_client_io_error(vs, ret, &err);
1403 }
1404 
1405 
1406 /*
1407  * Called to read data from the client socket to the input buffer,
1408  * when not using any SASL SSF encryption layers. Will read as much
1409  * data as possible without blocking.
1410  *
1411  * Returns the number of bytes read. Returns -1 on error, and
1412  * disconnects the client socket.
1413  */
1414 static ssize_t vnc_client_read_plain(VncState *vs)
1415 {
1416     ssize_t ret;
1417     VNC_DEBUG("Read plain %p size %zd offset %zd\n",
1418               vs->input.buffer, vs->input.capacity, vs->input.offset);
1419     buffer_reserve(&vs->input, 4096);
1420     ret = vnc_client_read_buf(vs, buffer_end(&vs->input), 4096);
1421     if (!ret)
1422         return 0;
1423     vs->input.offset += ret;
1424     return ret;
1425 }
1426 
1427 static void vnc_jobs_bh(void *opaque)
1428 {
1429     VncState *vs = opaque;
1430 
1431     vnc_jobs_consume_buffer(vs);
1432 }
1433 
1434 /*
1435  * First function called whenever there is more data to be read from
1436  * the client socket. Will delegate actual work according to whether
1437  * SASL SSF layers are enabled (thus requiring decryption calls)
1438  */
1439 static void vnc_client_read(VncState *vs)
1440 {
1441     ssize_t ret;
1442 
1443 #ifdef CONFIG_VNC_SASL
1444     if (vs->sasl.conn && vs->sasl.runSSF)
1445         ret = vnc_client_read_sasl(vs);
1446     else
1447 #endif /* CONFIG_VNC_SASL */
1448         ret = vnc_client_read_plain(vs);
1449     if (!ret) {
1450         if (vs->disconnecting) {
1451             vnc_disconnect_finish(vs);
1452         }
1453         return;
1454     }
1455 
1456     while (vs->read_handler && vs->input.offset >= vs->read_handler_expect) {
1457         size_t len = vs->read_handler_expect;
1458         int ret;
1459 
1460         ret = vs->read_handler(vs, vs->input.buffer, len);
1461         if (vs->disconnecting) {
1462             vnc_disconnect_finish(vs);
1463             return;
1464         }
1465 
1466         if (!ret) {
1467             buffer_advance(&vs->input, len);
1468         } else {
1469             vs->read_handler_expect = ret;
1470         }
1471     }
1472 }
1473 
1474 gboolean vnc_client_io(QIOChannel *ioc G_GNUC_UNUSED,
1475                        GIOCondition condition, void *opaque)
1476 {
1477     VncState *vs = opaque;
1478     if (condition & G_IO_IN) {
1479         vnc_client_read(vs);
1480     }
1481     if (condition & G_IO_OUT) {
1482         vnc_client_write(vs);
1483     }
1484     return TRUE;
1485 }
1486 
1487 
1488 void vnc_write(VncState *vs, const void *data, size_t len)
1489 {
1490     buffer_reserve(&vs->output, len);
1491 
1492     if (vs->ioc != NULL && buffer_empty(&vs->output)) {
1493         if (vs->ioc_tag) {
1494             g_source_remove(vs->ioc_tag);
1495         }
1496         vs->ioc_tag = qio_channel_add_watch(
1497             vs->ioc, G_IO_IN | G_IO_OUT, vnc_client_io, vs, NULL);
1498     }
1499 
1500     buffer_append(&vs->output, data, len);
1501 }
1502 
1503 void vnc_write_s32(VncState *vs, int32_t value)
1504 {
1505     vnc_write_u32(vs, *(uint32_t *)&value);
1506 }
1507 
1508 void vnc_write_u32(VncState *vs, uint32_t value)
1509 {
1510     uint8_t buf[4];
1511 
1512     buf[0] = (value >> 24) & 0xFF;
1513     buf[1] = (value >> 16) & 0xFF;
1514     buf[2] = (value >>  8) & 0xFF;
1515     buf[3] = value & 0xFF;
1516 
1517     vnc_write(vs, buf, 4);
1518 }
1519 
1520 void vnc_write_u16(VncState *vs, uint16_t value)
1521 {
1522     uint8_t buf[2];
1523 
1524     buf[0] = (value >> 8) & 0xFF;
1525     buf[1] = value & 0xFF;
1526 
1527     vnc_write(vs, buf, 2);
1528 }
1529 
1530 void vnc_write_u8(VncState *vs, uint8_t value)
1531 {
1532     vnc_write(vs, (char *)&value, 1);
1533 }
1534 
1535 void vnc_flush(VncState *vs)
1536 {
1537     vnc_lock_output(vs);
1538     if (vs->ioc != NULL && vs->output.offset) {
1539         vnc_client_write_locked(vs);
1540     }
1541     vnc_unlock_output(vs);
1542 }
1543 
1544 static uint8_t read_u8(uint8_t *data, size_t offset)
1545 {
1546     return data[offset];
1547 }
1548 
1549 static uint16_t read_u16(uint8_t *data, size_t offset)
1550 {
1551     return ((data[offset] & 0xFF) << 8) | (data[offset + 1] & 0xFF);
1552 }
1553 
1554 static int32_t read_s32(uint8_t *data, size_t offset)
1555 {
1556     return (int32_t)((data[offset] << 24) | (data[offset + 1] << 16) |
1557                      (data[offset + 2] << 8) | data[offset + 3]);
1558 }
1559 
1560 uint32_t read_u32(uint8_t *data, size_t offset)
1561 {
1562     return ((data[offset] << 24) | (data[offset + 1] << 16) |
1563             (data[offset + 2] << 8) | data[offset + 3]);
1564 }
1565 
1566 static void client_cut_text(VncState *vs, size_t len, uint8_t *text)
1567 {
1568 }
1569 
1570 static void check_pointer_type_change(Notifier *notifier, void *data)
1571 {
1572     VncState *vs = container_of(notifier, VncState, mouse_mode_notifier);
1573     int absolute = qemu_input_is_absolute();
1574 
1575     if (vnc_has_feature(vs, VNC_FEATURE_POINTER_TYPE_CHANGE) && vs->absolute != absolute) {
1576         vnc_lock_output(vs);
1577         vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1578         vnc_write_u8(vs, 0);
1579         vnc_write_u16(vs, 1);
1580         vnc_framebuffer_update(vs, absolute, 0,
1581                                pixman_image_get_width(vs->vd->server),
1582                                pixman_image_get_height(vs->vd->server),
1583                                VNC_ENCODING_POINTER_TYPE_CHANGE);
1584         vnc_unlock_output(vs);
1585         vnc_flush(vs);
1586     }
1587     vs->absolute = absolute;
1588 }
1589 
1590 static void pointer_event(VncState *vs, int button_mask, int x, int y)
1591 {
1592     static uint32_t bmap[INPUT_BUTTON__MAX] = {
1593         [INPUT_BUTTON_LEFT]       = 0x01,
1594         [INPUT_BUTTON_MIDDLE]     = 0x02,
1595         [INPUT_BUTTON_RIGHT]      = 0x04,
1596         [INPUT_BUTTON_WHEELUP]    = 0x08,
1597         [INPUT_BUTTON_WHEELDOWN]  = 0x10,
1598     };
1599     QemuConsole *con = vs->vd->dcl.con;
1600     int width = pixman_image_get_width(vs->vd->server);
1601     int height = pixman_image_get_height(vs->vd->server);
1602 
1603     if (vs->last_bmask != button_mask) {
1604         qemu_input_update_buttons(con, bmap, vs->last_bmask, button_mask);
1605         vs->last_bmask = button_mask;
1606     }
1607 
1608     if (vs->absolute) {
1609         qemu_input_queue_abs(con, INPUT_AXIS_X, x, width);
1610         qemu_input_queue_abs(con, INPUT_AXIS_Y, y, height);
1611     } else if (vnc_has_feature(vs, VNC_FEATURE_POINTER_TYPE_CHANGE)) {
1612         qemu_input_queue_rel(con, INPUT_AXIS_X, x - 0x7FFF);
1613         qemu_input_queue_rel(con, INPUT_AXIS_Y, y - 0x7FFF);
1614     } else {
1615         if (vs->last_x != -1) {
1616             qemu_input_queue_rel(con, INPUT_AXIS_X, x - vs->last_x);
1617             qemu_input_queue_rel(con, INPUT_AXIS_Y, y - vs->last_y);
1618         }
1619         vs->last_x = x;
1620         vs->last_y = y;
1621     }
1622     qemu_input_event_sync();
1623 }
1624 
1625 static void reset_keys(VncState *vs)
1626 {
1627     int i;
1628     for(i = 0; i < 256; i++) {
1629         if (vs->modifiers_state[i]) {
1630             qemu_input_event_send_key_number(vs->vd->dcl.con, i, false);
1631             vs->modifiers_state[i] = 0;
1632         }
1633     }
1634 }
1635 
1636 static void press_key(VncState *vs, int keysym)
1637 {
1638     int keycode = keysym2scancode(vs->vd->kbd_layout, keysym) & SCANCODE_KEYMASK;
1639     qemu_input_event_send_key_number(vs->vd->dcl.con, keycode, true);
1640     qemu_input_event_send_key_delay(0);
1641     qemu_input_event_send_key_number(vs->vd->dcl.con, keycode, false);
1642     qemu_input_event_send_key_delay(0);
1643 }
1644 
1645 static int current_led_state(VncState *vs)
1646 {
1647     int ledstate = 0;
1648 
1649     if (vs->modifiers_state[0x46]) {
1650         ledstate |= QEMU_SCROLL_LOCK_LED;
1651     }
1652     if (vs->modifiers_state[0x45]) {
1653         ledstate |= QEMU_NUM_LOCK_LED;
1654     }
1655     if (vs->modifiers_state[0x3a]) {
1656         ledstate |= QEMU_CAPS_LOCK_LED;
1657     }
1658 
1659     return ledstate;
1660 }
1661 
1662 static void vnc_led_state_change(VncState *vs)
1663 {
1664     int ledstate = 0;
1665 
1666     if (!vnc_has_feature(vs, VNC_FEATURE_LED_STATE)) {
1667         return;
1668     }
1669 
1670     ledstate = current_led_state(vs);
1671     vnc_lock_output(vs);
1672     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1673     vnc_write_u8(vs, 0);
1674     vnc_write_u16(vs, 1);
1675     vnc_framebuffer_update(vs, 0, 0, 1, 1, VNC_ENCODING_LED_STATE);
1676     vnc_write_u8(vs, ledstate);
1677     vnc_unlock_output(vs);
1678     vnc_flush(vs);
1679 }
1680 
1681 static void kbd_leds(void *opaque, int ledstate)
1682 {
1683     VncState *vs = opaque;
1684     int caps, num, scr;
1685     bool has_changed = (ledstate != current_led_state(vs));
1686 
1687     trace_vnc_key_guest_leds((ledstate & QEMU_CAPS_LOCK_LED),
1688                              (ledstate & QEMU_NUM_LOCK_LED),
1689                              (ledstate & QEMU_SCROLL_LOCK_LED));
1690 
1691     caps = ledstate & QEMU_CAPS_LOCK_LED ? 1 : 0;
1692     num  = ledstate & QEMU_NUM_LOCK_LED  ? 1 : 0;
1693     scr  = ledstate & QEMU_SCROLL_LOCK_LED ? 1 : 0;
1694 
1695     if (vs->modifiers_state[0x3a] != caps) {
1696         vs->modifiers_state[0x3a] = caps;
1697     }
1698     if (vs->modifiers_state[0x45] != num) {
1699         vs->modifiers_state[0x45] = num;
1700     }
1701     if (vs->modifiers_state[0x46] != scr) {
1702         vs->modifiers_state[0x46] = scr;
1703     }
1704 
1705     /* Sending the current led state message to the client */
1706     if (has_changed) {
1707         vnc_led_state_change(vs);
1708     }
1709 }
1710 
1711 static void do_key_event(VncState *vs, int down, int keycode, int sym)
1712 {
1713     /* QEMU console switch */
1714     switch(keycode) {
1715     case 0x2a:                          /* Left Shift */
1716     case 0x36:                          /* Right Shift */
1717     case 0x1d:                          /* Left CTRL */
1718     case 0x9d:                          /* Right CTRL */
1719     case 0x38:                          /* Left ALT */
1720     case 0xb8:                          /* Right ALT */
1721         if (down)
1722             vs->modifiers_state[keycode] = 1;
1723         else
1724             vs->modifiers_state[keycode] = 0;
1725         break;
1726     case 0x02 ... 0x0a: /* '1' to '9' keys */
1727         if (vs->vd->dcl.con == NULL &&
1728             down && vs->modifiers_state[0x1d] && vs->modifiers_state[0x38]) {
1729             /* Reset the modifiers sent to the current console */
1730             reset_keys(vs);
1731             console_select(keycode - 0x02);
1732             return;
1733         }
1734         break;
1735     case 0x3a:                        /* CapsLock */
1736     case 0x45:                        /* NumLock */
1737         if (down)
1738             vs->modifiers_state[keycode] ^= 1;
1739         break;
1740     }
1741 
1742     /* Turn off the lock state sync logic if the client support the led
1743        state extension.
1744     */
1745     if (down && vs->vd->lock_key_sync &&
1746         !vnc_has_feature(vs, VNC_FEATURE_LED_STATE) &&
1747         keycode_is_keypad(vs->vd->kbd_layout, keycode)) {
1748         /* If the numlock state needs to change then simulate an additional
1749            keypress before sending this one.  This will happen if the user
1750            toggles numlock away from the VNC window.
1751         */
1752         if (keysym_is_numlock(vs->vd->kbd_layout, sym & 0xFFFF)) {
1753             if (!vs->modifiers_state[0x45]) {
1754                 trace_vnc_key_sync_numlock(true);
1755                 vs->modifiers_state[0x45] = 1;
1756                 press_key(vs, 0xff7f);
1757             }
1758         } else {
1759             if (vs->modifiers_state[0x45]) {
1760                 trace_vnc_key_sync_numlock(false);
1761                 vs->modifiers_state[0x45] = 0;
1762                 press_key(vs, 0xff7f);
1763             }
1764         }
1765     }
1766 
1767     if (down && vs->vd->lock_key_sync &&
1768         !vnc_has_feature(vs, VNC_FEATURE_LED_STATE) &&
1769         ((sym >= 'A' && sym <= 'Z') || (sym >= 'a' && sym <= 'z'))) {
1770         /* If the capslock state needs to change then simulate an additional
1771            keypress before sending this one.  This will happen if the user
1772            toggles capslock away from the VNC window.
1773         */
1774         int uppercase = !!(sym >= 'A' && sym <= 'Z');
1775         int shift = !!(vs->modifiers_state[0x2a] | vs->modifiers_state[0x36]);
1776         int capslock = !!(vs->modifiers_state[0x3a]);
1777         if (capslock) {
1778             if (uppercase == shift) {
1779                 trace_vnc_key_sync_capslock(false);
1780                 vs->modifiers_state[0x3a] = 0;
1781                 press_key(vs, 0xffe5);
1782             }
1783         } else {
1784             if (uppercase != shift) {
1785                 trace_vnc_key_sync_capslock(true);
1786                 vs->modifiers_state[0x3a] = 1;
1787                 press_key(vs, 0xffe5);
1788             }
1789         }
1790     }
1791 
1792     if (qemu_console_is_graphic(NULL)) {
1793         qemu_input_event_send_key_number(vs->vd->dcl.con, keycode, down);
1794     } else {
1795         bool numlock = vs->modifiers_state[0x45];
1796         bool control = (vs->modifiers_state[0x1d] ||
1797                         vs->modifiers_state[0x9d]);
1798         /* QEMU console emulation */
1799         if (down) {
1800             switch (keycode) {
1801             case 0x2a:                          /* Left Shift */
1802             case 0x36:                          /* Right Shift */
1803             case 0x1d:                          /* Left CTRL */
1804             case 0x9d:                          /* Right CTRL */
1805             case 0x38:                          /* Left ALT */
1806             case 0xb8:                          /* Right ALT */
1807                 break;
1808             case 0xc8:
1809                 kbd_put_keysym(QEMU_KEY_UP);
1810                 break;
1811             case 0xd0:
1812                 kbd_put_keysym(QEMU_KEY_DOWN);
1813                 break;
1814             case 0xcb:
1815                 kbd_put_keysym(QEMU_KEY_LEFT);
1816                 break;
1817             case 0xcd:
1818                 kbd_put_keysym(QEMU_KEY_RIGHT);
1819                 break;
1820             case 0xd3:
1821                 kbd_put_keysym(QEMU_KEY_DELETE);
1822                 break;
1823             case 0xc7:
1824                 kbd_put_keysym(QEMU_KEY_HOME);
1825                 break;
1826             case 0xcf:
1827                 kbd_put_keysym(QEMU_KEY_END);
1828                 break;
1829             case 0xc9:
1830                 kbd_put_keysym(QEMU_KEY_PAGEUP);
1831                 break;
1832             case 0xd1:
1833                 kbd_put_keysym(QEMU_KEY_PAGEDOWN);
1834                 break;
1835 
1836             case 0x47:
1837                 kbd_put_keysym(numlock ? '7' : QEMU_KEY_HOME);
1838                 break;
1839             case 0x48:
1840                 kbd_put_keysym(numlock ? '8' : QEMU_KEY_UP);
1841                 break;
1842             case 0x49:
1843                 kbd_put_keysym(numlock ? '9' : QEMU_KEY_PAGEUP);
1844                 break;
1845             case 0x4b:
1846                 kbd_put_keysym(numlock ? '4' : QEMU_KEY_LEFT);
1847                 break;
1848             case 0x4c:
1849                 kbd_put_keysym('5');
1850                 break;
1851             case 0x4d:
1852                 kbd_put_keysym(numlock ? '6' : QEMU_KEY_RIGHT);
1853                 break;
1854             case 0x4f:
1855                 kbd_put_keysym(numlock ? '1' : QEMU_KEY_END);
1856                 break;
1857             case 0x50:
1858                 kbd_put_keysym(numlock ? '2' : QEMU_KEY_DOWN);
1859                 break;
1860             case 0x51:
1861                 kbd_put_keysym(numlock ? '3' : QEMU_KEY_PAGEDOWN);
1862                 break;
1863             case 0x52:
1864                 kbd_put_keysym('0');
1865                 break;
1866             case 0x53:
1867                 kbd_put_keysym(numlock ? '.' : QEMU_KEY_DELETE);
1868                 break;
1869 
1870             case 0xb5:
1871                 kbd_put_keysym('/');
1872                 break;
1873             case 0x37:
1874                 kbd_put_keysym('*');
1875                 break;
1876             case 0x4a:
1877                 kbd_put_keysym('-');
1878                 break;
1879             case 0x4e:
1880                 kbd_put_keysym('+');
1881                 break;
1882             case 0x9c:
1883                 kbd_put_keysym('\n');
1884                 break;
1885 
1886             default:
1887                 if (control) {
1888                     kbd_put_keysym(sym & 0x1f);
1889                 } else {
1890                     kbd_put_keysym(sym);
1891                 }
1892                 break;
1893             }
1894         }
1895     }
1896 }
1897 
1898 static void vnc_release_modifiers(VncState *vs)
1899 {
1900     static const int keycodes[] = {
1901         /* shift, control, alt keys, both left & right */
1902         0x2a, 0x36, 0x1d, 0x9d, 0x38, 0xb8,
1903     };
1904     int i, keycode;
1905 
1906     if (!qemu_console_is_graphic(NULL)) {
1907         return;
1908     }
1909     for (i = 0; i < ARRAY_SIZE(keycodes); i++) {
1910         keycode = keycodes[i];
1911         if (!vs->modifiers_state[keycode]) {
1912             continue;
1913         }
1914         qemu_input_event_send_key_number(vs->vd->dcl.con, keycode, false);
1915     }
1916 }
1917 
1918 static const char *code2name(int keycode)
1919 {
1920     return QKeyCode_lookup[qemu_input_key_number_to_qcode(keycode)];
1921 }
1922 
1923 static void key_event(VncState *vs, int down, uint32_t sym)
1924 {
1925     int keycode;
1926     int lsym = sym;
1927 
1928     if (lsym >= 'A' && lsym <= 'Z' && qemu_console_is_graphic(NULL)) {
1929         lsym = lsym - 'A' + 'a';
1930     }
1931 
1932     keycode = keysym2scancode(vs->vd->kbd_layout, lsym & 0xFFFF) & SCANCODE_KEYMASK;
1933     trace_vnc_key_event_map(down, sym, keycode, code2name(keycode));
1934     do_key_event(vs, down, keycode, sym);
1935 }
1936 
1937 static void ext_key_event(VncState *vs, int down,
1938                           uint32_t sym, uint16_t keycode)
1939 {
1940     /* if the user specifies a keyboard layout, always use it */
1941     if (keyboard_layout) {
1942         key_event(vs, down, sym);
1943     } else {
1944         trace_vnc_key_event_ext(down, sym, keycode, code2name(keycode));
1945         do_key_event(vs, down, keycode, sym);
1946     }
1947 }
1948 
1949 static void framebuffer_update_request(VncState *vs, int incremental,
1950                                        int x, int y, int w, int h)
1951 {
1952     vs->need_update = 1;
1953 
1954     if (incremental) {
1955         return;
1956     }
1957 
1958     vs->force_update = 1;
1959     vnc_set_area_dirty(vs->dirty, vs->vd, x, y, w, h);
1960 }
1961 
1962 static void send_ext_key_event_ack(VncState *vs)
1963 {
1964     vnc_lock_output(vs);
1965     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1966     vnc_write_u8(vs, 0);
1967     vnc_write_u16(vs, 1);
1968     vnc_framebuffer_update(vs, 0, 0,
1969                            pixman_image_get_width(vs->vd->server),
1970                            pixman_image_get_height(vs->vd->server),
1971                            VNC_ENCODING_EXT_KEY_EVENT);
1972     vnc_unlock_output(vs);
1973     vnc_flush(vs);
1974 }
1975 
1976 static void send_ext_audio_ack(VncState *vs)
1977 {
1978     vnc_lock_output(vs);
1979     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1980     vnc_write_u8(vs, 0);
1981     vnc_write_u16(vs, 1);
1982     vnc_framebuffer_update(vs, 0, 0,
1983                            pixman_image_get_width(vs->vd->server),
1984                            pixman_image_get_height(vs->vd->server),
1985                            VNC_ENCODING_AUDIO);
1986     vnc_unlock_output(vs);
1987     vnc_flush(vs);
1988 }
1989 
1990 static void set_encodings(VncState *vs, int32_t *encodings, size_t n_encodings)
1991 {
1992     int i;
1993     unsigned int enc = 0;
1994 
1995     vs->features = 0;
1996     vs->vnc_encoding = 0;
1997     vs->tight.compression = 9;
1998     vs->tight.quality = -1; /* Lossless by default */
1999     vs->absolute = -1;
2000 
2001     /*
2002      * Start from the end because the encodings are sent in order of preference.
2003      * This way the preferred encoding (first encoding defined in the array)
2004      * will be set at the end of the loop.
2005      */
2006     for (i = n_encodings - 1; i >= 0; i--) {
2007         enc = encodings[i];
2008         switch (enc) {
2009         case VNC_ENCODING_RAW:
2010             vs->vnc_encoding = enc;
2011             break;
2012         case VNC_ENCODING_COPYRECT:
2013             vs->features |= VNC_FEATURE_COPYRECT_MASK;
2014             break;
2015         case VNC_ENCODING_HEXTILE:
2016             vs->features |= VNC_FEATURE_HEXTILE_MASK;
2017             vs->vnc_encoding = enc;
2018             break;
2019         case VNC_ENCODING_TIGHT:
2020             vs->features |= VNC_FEATURE_TIGHT_MASK;
2021             vs->vnc_encoding = enc;
2022             break;
2023 #ifdef CONFIG_VNC_PNG
2024         case VNC_ENCODING_TIGHT_PNG:
2025             vs->features |= VNC_FEATURE_TIGHT_PNG_MASK;
2026             vs->vnc_encoding = enc;
2027             break;
2028 #endif
2029         case VNC_ENCODING_ZLIB:
2030             vs->features |= VNC_FEATURE_ZLIB_MASK;
2031             vs->vnc_encoding = enc;
2032             break;
2033         case VNC_ENCODING_ZRLE:
2034             vs->features |= VNC_FEATURE_ZRLE_MASK;
2035             vs->vnc_encoding = enc;
2036             break;
2037         case VNC_ENCODING_ZYWRLE:
2038             vs->features |= VNC_FEATURE_ZYWRLE_MASK;
2039             vs->vnc_encoding = enc;
2040             break;
2041         case VNC_ENCODING_DESKTOPRESIZE:
2042             vs->features |= VNC_FEATURE_RESIZE_MASK;
2043             break;
2044         case VNC_ENCODING_POINTER_TYPE_CHANGE:
2045             vs->features |= VNC_FEATURE_POINTER_TYPE_CHANGE_MASK;
2046             break;
2047         case VNC_ENCODING_RICH_CURSOR:
2048             vs->features |= VNC_FEATURE_RICH_CURSOR_MASK;
2049             break;
2050         case VNC_ENCODING_EXT_KEY_EVENT:
2051             send_ext_key_event_ack(vs);
2052             break;
2053         case VNC_ENCODING_AUDIO:
2054             send_ext_audio_ack(vs);
2055             break;
2056         case VNC_ENCODING_WMVi:
2057             vs->features |= VNC_FEATURE_WMVI_MASK;
2058             break;
2059         case VNC_ENCODING_LED_STATE:
2060             vs->features |= VNC_FEATURE_LED_STATE_MASK;
2061             break;
2062         case VNC_ENCODING_COMPRESSLEVEL0 ... VNC_ENCODING_COMPRESSLEVEL0 + 9:
2063             vs->tight.compression = (enc & 0x0F);
2064             break;
2065         case VNC_ENCODING_QUALITYLEVEL0 ... VNC_ENCODING_QUALITYLEVEL0 + 9:
2066             if (vs->vd->lossy) {
2067                 vs->tight.quality = (enc & 0x0F);
2068             }
2069             break;
2070         default:
2071             VNC_DEBUG("Unknown encoding: %d (0x%.8x): %d\n", i, enc, enc);
2072             break;
2073         }
2074     }
2075     vnc_desktop_resize(vs);
2076     check_pointer_type_change(&vs->mouse_mode_notifier, NULL);
2077     vnc_led_state_change(vs);
2078 }
2079 
2080 static void set_pixel_conversion(VncState *vs)
2081 {
2082     pixman_format_code_t fmt = qemu_pixman_get_format(&vs->client_pf);
2083 
2084     if (fmt == VNC_SERVER_FB_FORMAT) {
2085         vs->write_pixels = vnc_write_pixels_copy;
2086         vnc_hextile_set_pixel_conversion(vs, 0);
2087     } else {
2088         vs->write_pixels = vnc_write_pixels_generic;
2089         vnc_hextile_set_pixel_conversion(vs, 1);
2090     }
2091 }
2092 
2093 static void set_pixel_format(VncState *vs,
2094                              int bits_per_pixel, int depth,
2095                              int big_endian_flag, int true_color_flag,
2096                              int red_max, int green_max, int blue_max,
2097                              int red_shift, int green_shift, int blue_shift)
2098 {
2099     if (!true_color_flag) {
2100         vnc_client_error(vs);
2101         return;
2102     }
2103 
2104     switch (bits_per_pixel) {
2105     case 8:
2106     case 16:
2107     case 32:
2108         break;
2109     default:
2110         vnc_client_error(vs);
2111         return;
2112     }
2113 
2114     vs->client_pf.rmax = red_max ? red_max : 0xFF;
2115     vs->client_pf.rbits = hweight_long(red_max);
2116     vs->client_pf.rshift = red_shift;
2117     vs->client_pf.rmask = red_max << red_shift;
2118     vs->client_pf.gmax = green_max ? green_max : 0xFF;
2119     vs->client_pf.gbits = hweight_long(green_max);
2120     vs->client_pf.gshift = green_shift;
2121     vs->client_pf.gmask = green_max << green_shift;
2122     vs->client_pf.bmax = blue_max ? blue_max : 0xFF;
2123     vs->client_pf.bbits = hweight_long(blue_max);
2124     vs->client_pf.bshift = blue_shift;
2125     vs->client_pf.bmask = blue_max << blue_shift;
2126     vs->client_pf.bits_per_pixel = bits_per_pixel;
2127     vs->client_pf.bytes_per_pixel = bits_per_pixel / 8;
2128     vs->client_pf.depth = bits_per_pixel == 32 ? 24 : bits_per_pixel;
2129     vs->client_be = big_endian_flag;
2130 
2131     set_pixel_conversion(vs);
2132 
2133     graphic_hw_invalidate(vs->vd->dcl.con);
2134     graphic_hw_update(vs->vd->dcl.con);
2135 }
2136 
2137 static void pixel_format_message (VncState *vs) {
2138     char pad[3] = { 0, 0, 0 };
2139 
2140     vs->client_pf = qemu_default_pixelformat(32);
2141 
2142     vnc_write_u8(vs, vs->client_pf.bits_per_pixel); /* bits-per-pixel */
2143     vnc_write_u8(vs, vs->client_pf.depth); /* depth */
2144 
2145 #ifdef HOST_WORDS_BIGENDIAN
2146     vnc_write_u8(vs, 1);             /* big-endian-flag */
2147 #else
2148     vnc_write_u8(vs, 0);             /* big-endian-flag */
2149 #endif
2150     vnc_write_u8(vs, 1);             /* true-color-flag */
2151     vnc_write_u16(vs, vs->client_pf.rmax);     /* red-max */
2152     vnc_write_u16(vs, vs->client_pf.gmax);     /* green-max */
2153     vnc_write_u16(vs, vs->client_pf.bmax);     /* blue-max */
2154     vnc_write_u8(vs, vs->client_pf.rshift);    /* red-shift */
2155     vnc_write_u8(vs, vs->client_pf.gshift);    /* green-shift */
2156     vnc_write_u8(vs, vs->client_pf.bshift);    /* blue-shift */
2157     vnc_write(vs, pad, 3);           /* padding */
2158 
2159     vnc_hextile_set_pixel_conversion(vs, 0);
2160     vs->write_pixels = vnc_write_pixels_copy;
2161 }
2162 
2163 static void vnc_colordepth(VncState *vs)
2164 {
2165     if (vnc_has_feature(vs, VNC_FEATURE_WMVI)) {
2166         /* Sending a WMVi message to notify the client*/
2167         vnc_lock_output(vs);
2168         vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
2169         vnc_write_u8(vs, 0);
2170         vnc_write_u16(vs, 1); /* number of rects */
2171         vnc_framebuffer_update(vs, 0, 0,
2172                                pixman_image_get_width(vs->vd->server),
2173                                pixman_image_get_height(vs->vd->server),
2174                                VNC_ENCODING_WMVi);
2175         pixel_format_message(vs);
2176         vnc_unlock_output(vs);
2177         vnc_flush(vs);
2178     } else {
2179         set_pixel_conversion(vs);
2180     }
2181 }
2182 
2183 static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len)
2184 {
2185     int i;
2186     uint16_t limit;
2187     VncDisplay *vd = vs->vd;
2188 
2189     if (data[0] > 3) {
2190         update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
2191     }
2192 
2193     switch (data[0]) {
2194     case VNC_MSG_CLIENT_SET_PIXEL_FORMAT:
2195         if (len == 1)
2196             return 20;
2197 
2198         set_pixel_format(vs, read_u8(data, 4), read_u8(data, 5),
2199                          read_u8(data, 6), read_u8(data, 7),
2200                          read_u16(data, 8), read_u16(data, 10),
2201                          read_u16(data, 12), read_u8(data, 14),
2202                          read_u8(data, 15), read_u8(data, 16));
2203         break;
2204     case VNC_MSG_CLIENT_SET_ENCODINGS:
2205         if (len == 1)
2206             return 4;
2207 
2208         if (len == 4) {
2209             limit = read_u16(data, 2);
2210             if (limit > 0)
2211                 return 4 + (limit * 4);
2212         } else
2213             limit = read_u16(data, 2);
2214 
2215         for (i = 0; i < limit; i++) {
2216             int32_t val = read_s32(data, 4 + (i * 4));
2217             memcpy(data + 4 + (i * 4), &val, sizeof(val));
2218         }
2219 
2220         set_encodings(vs, (int32_t *)(data + 4), limit);
2221         break;
2222     case VNC_MSG_CLIENT_FRAMEBUFFER_UPDATE_REQUEST:
2223         if (len == 1)
2224             return 10;
2225 
2226         framebuffer_update_request(vs,
2227                                    read_u8(data, 1), read_u16(data, 2), read_u16(data, 4),
2228                                    read_u16(data, 6), read_u16(data, 8));
2229         break;
2230     case VNC_MSG_CLIENT_KEY_EVENT:
2231         if (len == 1)
2232             return 8;
2233 
2234         key_event(vs, read_u8(data, 1), read_u32(data, 4));
2235         break;
2236     case VNC_MSG_CLIENT_POINTER_EVENT:
2237         if (len == 1)
2238             return 6;
2239 
2240         pointer_event(vs, read_u8(data, 1), read_u16(data, 2), read_u16(data, 4));
2241         break;
2242     case VNC_MSG_CLIENT_CUT_TEXT:
2243         if (len == 1) {
2244             return 8;
2245         }
2246         if (len == 8) {
2247             uint32_t dlen = read_u32(data, 4);
2248             if (dlen > (1 << 20)) {
2249                 error_report("vnc: client_cut_text msg payload has %u bytes"
2250                              " which exceeds our limit of 1MB.", dlen);
2251                 vnc_client_error(vs);
2252                 break;
2253             }
2254             if (dlen > 0) {
2255                 return 8 + dlen;
2256             }
2257         }
2258 
2259         client_cut_text(vs, read_u32(data, 4), data + 8);
2260         break;
2261     case VNC_MSG_CLIENT_QEMU:
2262         if (len == 1)
2263             return 2;
2264 
2265         switch (read_u8(data, 1)) {
2266         case VNC_MSG_CLIENT_QEMU_EXT_KEY_EVENT:
2267             if (len == 2)
2268                 return 12;
2269 
2270             ext_key_event(vs, read_u16(data, 2),
2271                           read_u32(data, 4), read_u32(data, 8));
2272             break;
2273         case VNC_MSG_CLIENT_QEMU_AUDIO:
2274             if (len == 2)
2275                 return 4;
2276 
2277             switch (read_u16 (data, 2)) {
2278             case VNC_MSG_CLIENT_QEMU_AUDIO_ENABLE:
2279                 audio_add(vs);
2280                 break;
2281             case VNC_MSG_CLIENT_QEMU_AUDIO_DISABLE:
2282                 audio_del(vs);
2283                 break;
2284             case VNC_MSG_CLIENT_QEMU_AUDIO_SET_FORMAT:
2285                 if (len == 4)
2286                     return 10;
2287                 switch (read_u8(data, 4)) {
2288                 case 0: vs->as.fmt = AUD_FMT_U8; break;
2289                 case 1: vs->as.fmt = AUD_FMT_S8; break;
2290                 case 2: vs->as.fmt = AUD_FMT_U16; break;
2291                 case 3: vs->as.fmt = AUD_FMT_S16; break;
2292                 case 4: vs->as.fmt = AUD_FMT_U32; break;
2293                 case 5: vs->as.fmt = AUD_FMT_S32; break;
2294                 default:
2295                     VNC_DEBUG("Invalid audio format %d\n", read_u8(data, 4));
2296                     vnc_client_error(vs);
2297                     break;
2298                 }
2299                 vs->as.nchannels = read_u8(data, 5);
2300                 if (vs->as.nchannels != 1 && vs->as.nchannels != 2) {
2301                     VNC_DEBUG("Invalid audio channel coount %d\n",
2302                               read_u8(data, 5));
2303                     vnc_client_error(vs);
2304                     break;
2305                 }
2306                 vs->as.freq = read_u32(data, 6);
2307                 break;
2308             default:
2309                 VNC_DEBUG("Invalid audio message %d\n", read_u8(data, 4));
2310                 vnc_client_error(vs);
2311                 break;
2312             }
2313             break;
2314 
2315         default:
2316             VNC_DEBUG("Msg: %d\n", read_u16(data, 0));
2317             vnc_client_error(vs);
2318             break;
2319         }
2320         break;
2321     default:
2322         VNC_DEBUG("Msg: %d\n", data[0]);
2323         vnc_client_error(vs);
2324         break;
2325     }
2326 
2327     vnc_read_when(vs, protocol_client_msg, 1);
2328     return 0;
2329 }
2330 
2331 static int protocol_client_init(VncState *vs, uint8_t *data, size_t len)
2332 {
2333     char buf[1024];
2334     VncShareMode mode;
2335     int size;
2336 
2337     mode = data[0] ? VNC_SHARE_MODE_SHARED : VNC_SHARE_MODE_EXCLUSIVE;
2338     switch (vs->vd->share_policy) {
2339     case VNC_SHARE_POLICY_IGNORE:
2340         /*
2341          * Ignore the shared flag.  Nothing to do here.
2342          *
2343          * Doesn't conform to the rfb spec but is traditional qemu
2344          * behavior, thus left here as option for compatibility
2345          * reasons.
2346          */
2347         break;
2348     case VNC_SHARE_POLICY_ALLOW_EXCLUSIVE:
2349         /*
2350          * Policy: Allow clients ask for exclusive access.
2351          *
2352          * Implementation: When a client asks for exclusive access,
2353          * disconnect all others. Shared connects are allowed as long
2354          * as no exclusive connection exists.
2355          *
2356          * This is how the rfb spec suggests to handle the shared flag.
2357          */
2358         if (mode == VNC_SHARE_MODE_EXCLUSIVE) {
2359             VncState *client;
2360             QTAILQ_FOREACH(client, &vs->vd->clients, next) {
2361                 if (vs == client) {
2362                     continue;
2363                 }
2364                 if (client->share_mode != VNC_SHARE_MODE_EXCLUSIVE &&
2365                     client->share_mode != VNC_SHARE_MODE_SHARED) {
2366                     continue;
2367                 }
2368                 vnc_disconnect_start(client);
2369             }
2370         }
2371         if (mode == VNC_SHARE_MODE_SHARED) {
2372             if (vs->vd->num_exclusive > 0) {
2373                 vnc_disconnect_start(vs);
2374                 return 0;
2375             }
2376         }
2377         break;
2378     case VNC_SHARE_POLICY_FORCE_SHARED:
2379         /*
2380          * Policy: Shared connects only.
2381          * Implementation: Disallow clients asking for exclusive access.
2382          *
2383          * Useful for shared desktop sessions where you don't want
2384          * someone forgetting to say -shared when running the vnc
2385          * client disconnect everybody else.
2386          */
2387         if (mode == VNC_SHARE_MODE_EXCLUSIVE) {
2388             vnc_disconnect_start(vs);
2389             return 0;
2390         }
2391         break;
2392     }
2393     vnc_set_share_mode(vs, mode);
2394 
2395     if (vs->vd->num_shared > vs->vd->connections_limit) {
2396         vnc_disconnect_start(vs);
2397         return 0;
2398     }
2399 
2400     vs->client_width = pixman_image_get_width(vs->vd->server);
2401     vs->client_height = pixman_image_get_height(vs->vd->server);
2402     vnc_write_u16(vs, vs->client_width);
2403     vnc_write_u16(vs, vs->client_height);
2404 
2405     pixel_format_message(vs);
2406 
2407     if (qemu_name)
2408         size = snprintf(buf, sizeof(buf), "QEMU (%s)", qemu_name);
2409     else
2410         size = snprintf(buf, sizeof(buf), "QEMU");
2411 
2412     vnc_write_u32(vs, size);
2413     vnc_write(vs, buf, size);
2414     vnc_flush(vs);
2415 
2416     vnc_client_cache_auth(vs);
2417     vnc_qmp_event(vs, QAPI_EVENT_VNC_INITIALIZED);
2418 
2419     vnc_read_when(vs, protocol_client_msg, 1);
2420 
2421     return 0;
2422 }
2423 
2424 void start_client_init(VncState *vs)
2425 {
2426     vnc_read_when(vs, protocol_client_init, 1);
2427 }
2428 
2429 static void make_challenge(VncState *vs)
2430 {
2431     int i;
2432 
2433     srand(time(NULL)+getpid()+getpid()*987654+rand());
2434 
2435     for (i = 0 ; i < sizeof(vs->challenge) ; i++)
2436         vs->challenge[i] = (int) (256.0*rand()/(RAND_MAX+1.0));
2437 }
2438 
2439 static int protocol_client_auth_vnc(VncState *vs, uint8_t *data, size_t len)
2440 {
2441     unsigned char response[VNC_AUTH_CHALLENGE_SIZE];
2442     size_t i, pwlen;
2443     unsigned char key[8];
2444     time_t now = time(NULL);
2445     QCryptoCipher *cipher = NULL;
2446     Error *err = NULL;
2447 
2448     if (!vs->vd->password) {
2449         VNC_DEBUG("No password configured on server");
2450         goto reject;
2451     }
2452     if (vs->vd->expires < now) {
2453         VNC_DEBUG("Password is expired");
2454         goto reject;
2455     }
2456 
2457     memcpy(response, vs->challenge, VNC_AUTH_CHALLENGE_SIZE);
2458 
2459     /* Calculate the expected challenge response */
2460     pwlen = strlen(vs->vd->password);
2461     for (i=0; i<sizeof(key); i++)
2462         key[i] = i<pwlen ? vs->vd->password[i] : 0;
2463 
2464     cipher = qcrypto_cipher_new(
2465         QCRYPTO_CIPHER_ALG_DES_RFB,
2466         QCRYPTO_CIPHER_MODE_ECB,
2467         key, G_N_ELEMENTS(key),
2468         &err);
2469     if (!cipher) {
2470         VNC_DEBUG("Cannot initialize cipher %s",
2471                   error_get_pretty(err));
2472         error_free(err);
2473         goto reject;
2474     }
2475 
2476     if (qcrypto_cipher_encrypt(cipher,
2477                                vs->challenge,
2478                                response,
2479                                VNC_AUTH_CHALLENGE_SIZE,
2480                                &err) < 0) {
2481         VNC_DEBUG("Cannot encrypt challenge %s",
2482                   error_get_pretty(err));
2483         error_free(err);
2484         goto reject;
2485     }
2486 
2487     /* Compare expected vs actual challenge response */
2488     if (memcmp(response, data, VNC_AUTH_CHALLENGE_SIZE) != 0) {
2489         VNC_DEBUG("Client challenge response did not match\n");
2490         goto reject;
2491     } else {
2492         VNC_DEBUG("Accepting VNC challenge response\n");
2493         vnc_write_u32(vs, 0); /* Accept auth */
2494         vnc_flush(vs);
2495 
2496         start_client_init(vs);
2497     }
2498 
2499     qcrypto_cipher_free(cipher);
2500     return 0;
2501 
2502 reject:
2503     vnc_write_u32(vs, 1); /* Reject auth */
2504     if (vs->minor >= 8) {
2505         static const char err[] = "Authentication failed";
2506         vnc_write_u32(vs, sizeof(err));
2507         vnc_write(vs, err, sizeof(err));
2508     }
2509     vnc_flush(vs);
2510     vnc_client_error(vs);
2511     qcrypto_cipher_free(cipher);
2512     return 0;
2513 }
2514 
2515 void start_auth_vnc(VncState *vs)
2516 {
2517     make_challenge(vs);
2518     /* Send client a 'random' challenge */
2519     vnc_write(vs, vs->challenge, sizeof(vs->challenge));
2520     vnc_flush(vs);
2521 
2522     vnc_read_when(vs, protocol_client_auth_vnc, sizeof(vs->challenge));
2523 }
2524 
2525 
2526 static int protocol_client_auth(VncState *vs, uint8_t *data, size_t len)
2527 {
2528     /* We only advertise 1 auth scheme at a time, so client
2529      * must pick the one we sent. Verify this */
2530     if (data[0] != vs->auth) { /* Reject auth */
2531        VNC_DEBUG("Reject auth %d because it didn't match advertized\n", (int)data[0]);
2532        vnc_write_u32(vs, 1);
2533        if (vs->minor >= 8) {
2534            static const char err[] = "Authentication failed";
2535            vnc_write_u32(vs, sizeof(err));
2536            vnc_write(vs, err, sizeof(err));
2537        }
2538        vnc_client_error(vs);
2539     } else { /* Accept requested auth */
2540        VNC_DEBUG("Client requested auth %d\n", (int)data[0]);
2541        switch (vs->auth) {
2542        case VNC_AUTH_NONE:
2543            VNC_DEBUG("Accept auth none\n");
2544            if (vs->minor >= 8) {
2545                vnc_write_u32(vs, 0); /* Accept auth completion */
2546                vnc_flush(vs);
2547            }
2548            start_client_init(vs);
2549            break;
2550 
2551        case VNC_AUTH_VNC:
2552            VNC_DEBUG("Start VNC auth\n");
2553            start_auth_vnc(vs);
2554            break;
2555 
2556        case VNC_AUTH_VENCRYPT:
2557            VNC_DEBUG("Accept VeNCrypt auth\n");
2558            start_auth_vencrypt(vs);
2559            break;
2560 
2561 #ifdef CONFIG_VNC_SASL
2562        case VNC_AUTH_SASL:
2563            VNC_DEBUG("Accept SASL auth\n");
2564            start_auth_sasl(vs);
2565            break;
2566 #endif /* CONFIG_VNC_SASL */
2567 
2568        default: /* Should not be possible, but just in case */
2569            VNC_DEBUG("Reject auth %d server code bug\n", vs->auth);
2570            vnc_write_u8(vs, 1);
2571            if (vs->minor >= 8) {
2572                static const char err[] = "Authentication failed";
2573                vnc_write_u32(vs, sizeof(err));
2574                vnc_write(vs, err, sizeof(err));
2575            }
2576            vnc_client_error(vs);
2577        }
2578     }
2579     return 0;
2580 }
2581 
2582 static int protocol_version(VncState *vs, uint8_t *version, size_t len)
2583 {
2584     char local[13];
2585 
2586     memcpy(local, version, 12);
2587     local[12] = 0;
2588 
2589     if (sscanf(local, "RFB %03d.%03d\n", &vs->major, &vs->minor) != 2) {
2590         VNC_DEBUG("Malformed protocol version %s\n", local);
2591         vnc_client_error(vs);
2592         return 0;
2593     }
2594     VNC_DEBUG("Client request protocol version %d.%d\n", vs->major, vs->minor);
2595     if (vs->major != 3 ||
2596         (vs->minor != 3 &&
2597          vs->minor != 4 &&
2598          vs->minor != 5 &&
2599          vs->minor != 7 &&
2600          vs->minor != 8)) {
2601         VNC_DEBUG("Unsupported client version\n");
2602         vnc_write_u32(vs, VNC_AUTH_INVALID);
2603         vnc_flush(vs);
2604         vnc_client_error(vs);
2605         return 0;
2606     }
2607     /* Some broken clients report v3.4 or v3.5, which spec requires to be treated
2608      * as equivalent to v3.3 by servers
2609      */
2610     if (vs->minor == 4 || vs->minor == 5)
2611         vs->minor = 3;
2612 
2613     if (vs->minor == 3) {
2614         if (vs->auth == VNC_AUTH_NONE) {
2615             VNC_DEBUG("Tell client auth none\n");
2616             vnc_write_u32(vs, vs->auth);
2617             vnc_flush(vs);
2618             start_client_init(vs);
2619        } else if (vs->auth == VNC_AUTH_VNC) {
2620             VNC_DEBUG("Tell client VNC auth\n");
2621             vnc_write_u32(vs, vs->auth);
2622             vnc_flush(vs);
2623             start_auth_vnc(vs);
2624        } else {
2625             VNC_DEBUG("Unsupported auth %d for protocol 3.3\n", vs->auth);
2626             vnc_write_u32(vs, VNC_AUTH_INVALID);
2627             vnc_flush(vs);
2628             vnc_client_error(vs);
2629        }
2630     } else {
2631         VNC_DEBUG("Telling client we support auth %d\n", vs->auth);
2632         vnc_write_u8(vs, 1); /* num auth */
2633         vnc_write_u8(vs, vs->auth);
2634         vnc_read_when(vs, protocol_client_auth, 1);
2635         vnc_flush(vs);
2636     }
2637 
2638     return 0;
2639 }
2640 
2641 static VncRectStat *vnc_stat_rect(VncDisplay *vd, int x, int y)
2642 {
2643     struct VncSurface *vs = &vd->guest;
2644 
2645     return &vs->stats[y / VNC_STAT_RECT][x / VNC_STAT_RECT];
2646 }
2647 
2648 void vnc_sent_lossy_rect(VncState *vs, int x, int y, int w, int h)
2649 {
2650     int i, j;
2651 
2652     w = (x + w) / VNC_STAT_RECT;
2653     h = (y + h) / VNC_STAT_RECT;
2654     x /= VNC_STAT_RECT;
2655     y /= VNC_STAT_RECT;
2656 
2657     for (j = y; j <= h; j++) {
2658         for (i = x; i <= w; i++) {
2659             vs->lossy_rect[j][i] = 1;
2660         }
2661     }
2662 }
2663 
2664 static int vnc_refresh_lossy_rect(VncDisplay *vd, int x, int y)
2665 {
2666     VncState *vs;
2667     int sty = y / VNC_STAT_RECT;
2668     int stx = x / VNC_STAT_RECT;
2669     int has_dirty = 0;
2670 
2671     y = y / VNC_STAT_RECT * VNC_STAT_RECT;
2672     x = x / VNC_STAT_RECT * VNC_STAT_RECT;
2673 
2674     QTAILQ_FOREACH(vs, &vd->clients, next) {
2675         int j;
2676 
2677         /* kernel send buffers are full -> refresh later */
2678         if (vs->output.offset) {
2679             continue;
2680         }
2681 
2682         if (!vs->lossy_rect[sty][stx]) {
2683             continue;
2684         }
2685 
2686         vs->lossy_rect[sty][stx] = 0;
2687         for (j = 0; j < VNC_STAT_RECT; ++j) {
2688             bitmap_set(vs->dirty[y + j],
2689                        x / VNC_DIRTY_PIXELS_PER_BIT,
2690                        VNC_STAT_RECT / VNC_DIRTY_PIXELS_PER_BIT);
2691         }
2692         has_dirty++;
2693     }
2694 
2695     return has_dirty;
2696 }
2697 
2698 static int vnc_update_stats(VncDisplay *vd,  struct timeval * tv)
2699 {
2700     int width = pixman_image_get_width(vd->guest.fb);
2701     int height = pixman_image_get_height(vd->guest.fb);
2702     int x, y;
2703     struct timeval res;
2704     int has_dirty = 0;
2705 
2706     for (y = 0; y < height; y += VNC_STAT_RECT) {
2707         for (x = 0; x < width; x += VNC_STAT_RECT) {
2708             VncRectStat *rect = vnc_stat_rect(vd, x, y);
2709 
2710             rect->updated = false;
2711         }
2712     }
2713 
2714     qemu_timersub(tv, &VNC_REFRESH_STATS, &res);
2715 
2716     if (timercmp(&vd->guest.last_freq_check, &res, >)) {
2717         return has_dirty;
2718     }
2719     vd->guest.last_freq_check = *tv;
2720 
2721     for (y = 0; y < height; y += VNC_STAT_RECT) {
2722         for (x = 0; x < width; x += VNC_STAT_RECT) {
2723             VncRectStat *rect= vnc_stat_rect(vd, x, y);
2724             int count = ARRAY_SIZE(rect->times);
2725             struct timeval min, max;
2726 
2727             if (!timerisset(&rect->times[count - 1])) {
2728                 continue ;
2729             }
2730 
2731             max = rect->times[(rect->idx + count - 1) % count];
2732             qemu_timersub(tv, &max, &res);
2733 
2734             if (timercmp(&res, &VNC_REFRESH_LOSSY, >)) {
2735                 rect->freq = 0;
2736                 has_dirty += vnc_refresh_lossy_rect(vd, x, y);
2737                 memset(rect->times, 0, sizeof (rect->times));
2738                 continue ;
2739             }
2740 
2741             min = rect->times[rect->idx];
2742             max = rect->times[(rect->idx + count - 1) % count];
2743             qemu_timersub(&max, &min, &res);
2744 
2745             rect->freq = res.tv_sec + res.tv_usec / 1000000.;
2746             rect->freq /= count;
2747             rect->freq = 1. / rect->freq;
2748         }
2749     }
2750     return has_dirty;
2751 }
2752 
2753 double vnc_update_freq(VncState *vs, int x, int y, int w, int h)
2754 {
2755     int i, j;
2756     double total = 0;
2757     int num = 0;
2758 
2759     x =  (x / VNC_STAT_RECT) * VNC_STAT_RECT;
2760     y =  (y / VNC_STAT_RECT) * VNC_STAT_RECT;
2761 
2762     for (j = y; j <= y + h; j += VNC_STAT_RECT) {
2763         for (i = x; i <= x + w; i += VNC_STAT_RECT) {
2764             total += vnc_stat_rect(vs->vd, i, j)->freq;
2765             num++;
2766         }
2767     }
2768 
2769     if (num) {
2770         return total / num;
2771     } else {
2772         return 0;
2773     }
2774 }
2775 
2776 static void vnc_rect_updated(VncDisplay *vd, int x, int y, struct timeval * tv)
2777 {
2778     VncRectStat *rect;
2779 
2780     rect = vnc_stat_rect(vd, x, y);
2781     if (rect->updated) {
2782         return ;
2783     }
2784     rect->times[rect->idx] = *tv;
2785     rect->idx = (rect->idx + 1) % ARRAY_SIZE(rect->times);
2786     rect->updated = true;
2787 }
2788 
2789 static int vnc_refresh_server_surface(VncDisplay *vd)
2790 {
2791     int width = MIN(pixman_image_get_width(vd->guest.fb),
2792                     pixman_image_get_width(vd->server));
2793     int height = MIN(pixman_image_get_height(vd->guest.fb),
2794                      pixman_image_get_height(vd->server));
2795     int cmp_bytes, server_stride, line_bytes, guest_ll, guest_stride, y = 0;
2796     uint8_t *guest_row0 = NULL, *server_row0;
2797     VncState *vs;
2798     int has_dirty = 0;
2799     pixman_image_t *tmpbuf = NULL;
2800 
2801     struct timeval tv = { 0, 0 };
2802 
2803     if (!vd->non_adaptive) {
2804         gettimeofday(&tv, NULL);
2805         has_dirty = vnc_update_stats(vd, &tv);
2806     }
2807 
2808     /*
2809      * Walk through the guest dirty map.
2810      * Check and copy modified bits from guest to server surface.
2811      * Update server dirty map.
2812      */
2813     server_row0 = (uint8_t *)pixman_image_get_data(vd->server);
2814     server_stride = guest_stride = guest_ll =
2815         pixman_image_get_stride(vd->server);
2816     cmp_bytes = MIN(VNC_DIRTY_PIXELS_PER_BIT * VNC_SERVER_FB_BYTES,
2817                     server_stride);
2818     if (vd->guest.format != VNC_SERVER_FB_FORMAT) {
2819         int width = pixman_image_get_width(vd->server);
2820         tmpbuf = qemu_pixman_linebuf_create(VNC_SERVER_FB_FORMAT, width);
2821     } else {
2822         int guest_bpp =
2823             PIXMAN_FORMAT_BPP(pixman_image_get_format(vd->guest.fb));
2824         guest_row0 = (uint8_t *)pixman_image_get_data(vd->guest.fb);
2825         guest_stride = pixman_image_get_stride(vd->guest.fb);
2826         guest_ll = pixman_image_get_width(vd->guest.fb) * ((guest_bpp + 7) / 8);
2827     }
2828     line_bytes = MIN(server_stride, guest_ll);
2829 
2830     for (;;) {
2831         int x;
2832         uint8_t *guest_ptr, *server_ptr;
2833         unsigned long offset = find_next_bit((unsigned long *) &vd->guest.dirty,
2834                                              height * VNC_DIRTY_BPL(&vd->guest),
2835                                              y * VNC_DIRTY_BPL(&vd->guest));
2836         if (offset == height * VNC_DIRTY_BPL(&vd->guest)) {
2837             /* no more dirty bits */
2838             break;
2839         }
2840         y = offset / VNC_DIRTY_BPL(&vd->guest);
2841         x = offset % VNC_DIRTY_BPL(&vd->guest);
2842 
2843         server_ptr = server_row0 + y * server_stride + x * cmp_bytes;
2844 
2845         if (vd->guest.format != VNC_SERVER_FB_FORMAT) {
2846             qemu_pixman_linebuf_fill(tmpbuf, vd->guest.fb, width, 0, y);
2847             guest_ptr = (uint8_t *)pixman_image_get_data(tmpbuf);
2848         } else {
2849             guest_ptr = guest_row0 + y * guest_stride;
2850         }
2851         guest_ptr += x * cmp_bytes;
2852 
2853         for (; x < DIV_ROUND_UP(width, VNC_DIRTY_PIXELS_PER_BIT);
2854              x++, guest_ptr += cmp_bytes, server_ptr += cmp_bytes) {
2855             int _cmp_bytes = cmp_bytes;
2856             if (!test_and_clear_bit(x, vd->guest.dirty[y])) {
2857                 continue;
2858             }
2859             if ((x + 1) * cmp_bytes > line_bytes) {
2860                 _cmp_bytes = line_bytes - x * cmp_bytes;
2861             }
2862             assert(_cmp_bytes >= 0);
2863             if (memcmp(server_ptr, guest_ptr, _cmp_bytes) == 0) {
2864                 continue;
2865             }
2866             memcpy(server_ptr, guest_ptr, _cmp_bytes);
2867             if (!vd->non_adaptive) {
2868                 vnc_rect_updated(vd, x * VNC_DIRTY_PIXELS_PER_BIT,
2869                                  y, &tv);
2870             }
2871             QTAILQ_FOREACH(vs, &vd->clients, next) {
2872                 set_bit(x, vs->dirty[y]);
2873             }
2874             has_dirty++;
2875         }
2876 
2877         y++;
2878     }
2879     qemu_pixman_image_unref(tmpbuf);
2880     return has_dirty;
2881 }
2882 
2883 static void vnc_refresh(DisplayChangeListener *dcl)
2884 {
2885     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
2886     VncState *vs, *vn;
2887     int has_dirty, rects = 0;
2888 
2889     if (QTAILQ_EMPTY(&vd->clients)) {
2890         update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_MAX);
2891         return;
2892     }
2893 
2894     graphic_hw_update(vd->dcl.con);
2895 
2896     if (vnc_trylock_display(vd)) {
2897         update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
2898         return;
2899     }
2900 
2901     has_dirty = vnc_refresh_server_surface(vd);
2902     vnc_unlock_display(vd);
2903 
2904     QTAILQ_FOREACH_SAFE(vs, &vd->clients, next, vn) {
2905         rects += vnc_update_client(vs, has_dirty, false);
2906         /* vs might be free()ed here */
2907     }
2908 
2909     if (has_dirty && rects) {
2910         vd->dcl.update_interval /= 2;
2911         if (vd->dcl.update_interval < VNC_REFRESH_INTERVAL_BASE) {
2912             vd->dcl.update_interval = VNC_REFRESH_INTERVAL_BASE;
2913         }
2914     } else {
2915         vd->dcl.update_interval += VNC_REFRESH_INTERVAL_INC;
2916         if (vd->dcl.update_interval > VNC_REFRESH_INTERVAL_MAX) {
2917             vd->dcl.update_interval = VNC_REFRESH_INTERVAL_MAX;
2918         }
2919     }
2920 }
2921 
2922 static void vnc_connect(VncDisplay *vd, QIOChannelSocket *sioc,
2923                         bool skipauth, bool websocket)
2924 {
2925     VncState *vs = g_new0(VncState, 1);
2926     int i;
2927 
2928     vs->sioc = sioc;
2929     object_ref(OBJECT(vs->sioc));
2930     vs->ioc = QIO_CHANNEL(sioc);
2931     object_ref(OBJECT(vs->ioc));
2932     vs->vd = vd;
2933 
2934     buffer_init(&vs->input,          "vnc-input/%p", sioc);
2935     buffer_init(&vs->output,         "vnc-output/%p", sioc);
2936     buffer_init(&vs->jobs_buffer,    "vnc-jobs_buffer/%p", sioc);
2937 
2938     buffer_init(&vs->tight.tight,    "vnc-tight/%p", sioc);
2939     buffer_init(&vs->tight.zlib,     "vnc-tight-zlib/%p", sioc);
2940     buffer_init(&vs->tight.gradient, "vnc-tight-gradient/%p", sioc);
2941 #ifdef CONFIG_VNC_JPEG
2942     buffer_init(&vs->tight.jpeg,     "vnc-tight-jpeg/%p", sioc);
2943 #endif
2944 #ifdef CONFIG_VNC_PNG
2945     buffer_init(&vs->tight.png,      "vnc-tight-png/%p", sioc);
2946 #endif
2947     buffer_init(&vs->zlib.zlib,      "vnc-zlib/%p", sioc);
2948     buffer_init(&vs->zrle.zrle,      "vnc-zrle/%p", sioc);
2949     buffer_init(&vs->zrle.fb,        "vnc-zrle-fb/%p", sioc);
2950     buffer_init(&vs->zrle.zlib,      "vnc-zrle-zlib/%p", sioc);
2951 
2952     if (skipauth) {
2953 	vs->auth = VNC_AUTH_NONE;
2954 	vs->subauth = VNC_AUTH_INVALID;
2955     } else {
2956         if (websocket) {
2957             vs->auth = vd->ws_auth;
2958             vs->subauth = VNC_AUTH_INVALID;
2959         } else {
2960             vs->auth = vd->auth;
2961             vs->subauth = vd->subauth;
2962         }
2963     }
2964     VNC_DEBUG("Client sioc=%p ws=%d auth=%d subauth=%d\n",
2965               sioc, websocket, vs->auth, vs->subauth);
2966 
2967     vs->lossy_rect = g_malloc0(VNC_STAT_ROWS * sizeof (*vs->lossy_rect));
2968     for (i = 0; i < VNC_STAT_ROWS; ++i) {
2969         vs->lossy_rect[i] = g_new0(uint8_t, VNC_STAT_COLS);
2970     }
2971 
2972     VNC_DEBUG("New client on socket %p\n", vs->sioc);
2973     update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
2974     qio_channel_set_blocking(vs->ioc, false, NULL);
2975     if (websocket) {
2976         vs->websocket = 1;
2977         if (vd->ws_tls) {
2978             vs->ioc_tag = qio_channel_add_watch(
2979                 vs->ioc, G_IO_IN, vncws_tls_handshake_io, vs, NULL);
2980         } else {
2981             vs->ioc_tag = qio_channel_add_watch(
2982                 vs->ioc, G_IO_IN, vncws_handshake_io, vs, NULL);
2983         }
2984     } else {
2985         vs->ioc_tag = qio_channel_add_watch(
2986             vs->ioc, G_IO_IN, vnc_client_io, vs, NULL);
2987     }
2988 
2989     vnc_client_cache_addr(vs);
2990     vnc_qmp_event(vs, QAPI_EVENT_VNC_CONNECTED);
2991     vnc_set_share_mode(vs, VNC_SHARE_MODE_CONNECTING);
2992 
2993     if (!vs->websocket) {
2994         vnc_init_state(vs);
2995     }
2996 
2997     if (vd->num_connecting > vd->connections_limit) {
2998         QTAILQ_FOREACH(vs, &vd->clients, next) {
2999             if (vs->share_mode == VNC_SHARE_MODE_CONNECTING) {
3000                 vnc_disconnect_start(vs);
3001                 return;
3002             }
3003         }
3004     }
3005 }
3006 
3007 void vnc_init_state(VncState *vs)
3008 {
3009     vs->initialized = true;
3010     VncDisplay *vd = vs->vd;
3011     bool first_client = QTAILQ_EMPTY(&vd->clients);
3012 
3013     vs->last_x = -1;
3014     vs->last_y = -1;
3015 
3016     vs->as.freq = 44100;
3017     vs->as.nchannels = 2;
3018     vs->as.fmt = AUD_FMT_S16;
3019     vs->as.endianness = 0;
3020 
3021     qemu_mutex_init(&vs->output_mutex);
3022     vs->bh = qemu_bh_new(vnc_jobs_bh, vs);
3023 
3024     QTAILQ_INSERT_TAIL(&vd->clients, vs, next);
3025     if (first_client) {
3026         vnc_update_server_surface(vd);
3027     }
3028 
3029     graphic_hw_update(vd->dcl.con);
3030 
3031     vnc_write(vs, "RFB 003.008\n", 12);
3032     vnc_flush(vs);
3033     vnc_read_when(vs, protocol_version, 12);
3034     reset_keys(vs);
3035     if (vs->vd->lock_key_sync)
3036         vs->led = qemu_add_led_event_handler(kbd_leds, vs);
3037 
3038     vs->mouse_mode_notifier.notify = check_pointer_type_change;
3039     qemu_add_mouse_mode_change_notifier(&vs->mouse_mode_notifier);
3040 
3041     /* vs might be free()ed here */
3042 }
3043 
3044 static gboolean vnc_listen_io(QIOChannel *ioc,
3045                               GIOCondition condition,
3046                               void *opaque)
3047 {
3048     VncDisplay *vs = opaque;
3049     QIOChannelSocket *sioc = NULL;
3050     Error *err = NULL;
3051 
3052     /* Catch-up */
3053     graphic_hw_update(vs->dcl.con);
3054     sioc = qio_channel_socket_accept(QIO_CHANNEL_SOCKET(ioc), &err);
3055     if (sioc != NULL) {
3056         qio_channel_set_delay(QIO_CHANNEL(sioc), false);
3057         vnc_connect(vs, sioc, false,
3058                     ioc != QIO_CHANNEL(vs->lsock));
3059         object_unref(OBJECT(sioc));
3060     } else {
3061         /* client probably closed connection before we got there */
3062         error_free(err);
3063     }
3064 
3065     return TRUE;
3066 }
3067 
3068 static const DisplayChangeListenerOps dcl_ops = {
3069     .dpy_name             = "vnc",
3070     .dpy_refresh          = vnc_refresh,
3071     .dpy_gfx_copy         = vnc_dpy_copy,
3072     .dpy_gfx_update       = vnc_dpy_update,
3073     .dpy_gfx_switch       = vnc_dpy_switch,
3074     .dpy_gfx_check_format = qemu_pixman_check_format,
3075     .dpy_mouse_set        = vnc_mouse_set,
3076     .dpy_cursor_define    = vnc_dpy_cursor_define,
3077 };
3078 
3079 void vnc_display_init(const char *id)
3080 {
3081     VncDisplay *vs;
3082 
3083     if (vnc_display_find(id) != NULL) {
3084         return;
3085     }
3086     vs = g_malloc0(sizeof(*vs));
3087 
3088     vs->id = strdup(id);
3089     QTAILQ_INSERT_TAIL(&vnc_displays, vs, next);
3090 
3091     QTAILQ_INIT(&vs->clients);
3092     vs->expires = TIME_MAX;
3093 
3094     if (keyboard_layout) {
3095         trace_vnc_key_map_init(keyboard_layout);
3096         vs->kbd_layout = init_keyboard_layout(name2keysym, keyboard_layout);
3097     } else {
3098         vs->kbd_layout = init_keyboard_layout(name2keysym, "en-us");
3099     }
3100 
3101     if (!vs->kbd_layout)
3102         exit(1);
3103 
3104     qemu_mutex_init(&vs->mutex);
3105     vnc_start_worker_thread();
3106 
3107     vs->dcl.ops = &dcl_ops;
3108     register_displaychangelistener(&vs->dcl);
3109 }
3110 
3111 
3112 static void vnc_display_close(VncDisplay *vs)
3113 {
3114     if (!vs)
3115         return;
3116     vs->enabled = false;
3117     vs->is_unix = false;
3118     if (vs->lsock != NULL) {
3119         if (vs->lsock_tag) {
3120             g_source_remove(vs->lsock_tag);
3121         }
3122         object_unref(OBJECT(vs->lsock));
3123         vs->lsock = NULL;
3124     }
3125     vs->ws_enabled = false;
3126     if (vs->lwebsock != NULL) {
3127         if (vs->lwebsock_tag) {
3128             g_source_remove(vs->lwebsock_tag);
3129         }
3130         object_unref(OBJECT(vs->lwebsock));
3131         vs->lwebsock = NULL;
3132     }
3133     vs->auth = VNC_AUTH_INVALID;
3134     vs->subauth = VNC_AUTH_INVALID;
3135     if (vs->tlscreds) {
3136         object_unparent(OBJECT(vs->tlscreds));
3137         vs->tlscreds = NULL;
3138     }
3139     g_free(vs->tlsaclname);
3140     vs->tlsaclname = NULL;
3141 }
3142 
3143 int vnc_display_password(const char *id, const char *password)
3144 {
3145     VncDisplay *vs = vnc_display_find(id);
3146 
3147     if (!vs) {
3148         return -EINVAL;
3149     }
3150     if (vs->auth == VNC_AUTH_NONE) {
3151         error_printf_unless_qmp("If you want use passwords please enable "
3152                                 "password auth using '-vnc ${dpy},password'.");
3153         return -EINVAL;
3154     }
3155 
3156     g_free(vs->password);
3157     vs->password = g_strdup(password);
3158 
3159     return 0;
3160 }
3161 
3162 int vnc_display_pw_expire(const char *id, time_t expires)
3163 {
3164     VncDisplay *vs = vnc_display_find(id);
3165 
3166     if (!vs) {
3167         return -EINVAL;
3168     }
3169 
3170     vs->expires = expires;
3171     return 0;
3172 }
3173 
3174 char *vnc_display_local_addr(const char *id)
3175 {
3176     VncDisplay *vs = vnc_display_find(id);
3177     SocketAddress *addr;
3178     char *ret;
3179     Error *err = NULL;
3180 
3181     assert(vs);
3182 
3183     addr = qio_channel_socket_get_local_address(vs->lsock, &err);
3184     if (!addr) {
3185         return NULL;
3186     }
3187 
3188     if (addr->type != SOCKET_ADDRESS_KIND_INET) {
3189         qapi_free_SocketAddress(addr);
3190         return NULL;
3191     }
3192     ret = g_strdup_printf("%s;%s", addr->u.inet->host, addr->u.inet->port);
3193     qapi_free_SocketAddress(addr);
3194 
3195     return ret;
3196 }
3197 
3198 static QemuOptsList qemu_vnc_opts = {
3199     .name = "vnc",
3200     .head = QTAILQ_HEAD_INITIALIZER(qemu_vnc_opts.head),
3201     .implied_opt_name = "vnc",
3202     .desc = {
3203         {
3204             .name = "vnc",
3205             .type = QEMU_OPT_STRING,
3206         },{
3207             .name = "websocket",
3208             .type = QEMU_OPT_STRING,
3209         },{
3210             .name = "tls-creds",
3211             .type = QEMU_OPT_STRING,
3212         },{
3213             /* Deprecated in favour of tls-creds */
3214             .name = "x509",
3215             .type = QEMU_OPT_STRING,
3216         },{
3217             .name = "share",
3218             .type = QEMU_OPT_STRING,
3219         },{
3220             .name = "display",
3221             .type = QEMU_OPT_STRING,
3222         },{
3223             .name = "head",
3224             .type = QEMU_OPT_NUMBER,
3225         },{
3226             .name = "connections",
3227             .type = QEMU_OPT_NUMBER,
3228         },{
3229             .name = "to",
3230             .type = QEMU_OPT_NUMBER,
3231         },{
3232             .name = "ipv4",
3233             .type = QEMU_OPT_BOOL,
3234         },{
3235             .name = "ipv6",
3236             .type = QEMU_OPT_BOOL,
3237         },{
3238             .name = "password",
3239             .type = QEMU_OPT_BOOL,
3240         },{
3241             .name = "reverse",
3242             .type = QEMU_OPT_BOOL,
3243         },{
3244             .name = "lock-key-sync",
3245             .type = QEMU_OPT_BOOL,
3246         },{
3247             .name = "sasl",
3248             .type = QEMU_OPT_BOOL,
3249         },{
3250             /* Deprecated in favour of tls-creds */
3251             .name = "tls",
3252             .type = QEMU_OPT_BOOL,
3253         },{
3254             /* Deprecated in favour of tls-creds */
3255             .name = "x509verify",
3256             .type = QEMU_OPT_STRING,
3257         },{
3258             .name = "acl",
3259             .type = QEMU_OPT_BOOL,
3260         },{
3261             .name = "lossy",
3262             .type = QEMU_OPT_BOOL,
3263         },{
3264             .name = "non-adaptive",
3265             .type = QEMU_OPT_BOOL,
3266         },
3267         { /* end of list */ }
3268     },
3269 };
3270 
3271 
3272 static int
3273 vnc_display_setup_auth(VncDisplay *vs,
3274                        bool password,
3275                        bool sasl,
3276                        bool websocket,
3277                        Error **errp)
3278 {
3279     /*
3280      * We have a choice of 3 authentication options
3281      *
3282      *   1. none
3283      *   2. vnc
3284      *   3. sasl
3285      *
3286      * The channel can be run in 2 modes
3287      *
3288      *   1. clear
3289      *   2. tls
3290      *
3291      * And TLS can use 2 types of credentials
3292      *
3293      *   1. anon
3294      *   2. x509
3295      *
3296      * We thus have 9 possible logical combinations
3297      *
3298      *   1. clear + none
3299      *   2. clear + vnc
3300      *   3. clear + sasl
3301      *   4. tls + anon + none
3302      *   5. tls + anon + vnc
3303      *   6. tls + anon + sasl
3304      *   7. tls + x509 + none
3305      *   8. tls + x509 + vnc
3306      *   9. tls + x509 + sasl
3307      *
3308      * These need to be mapped into the VNC auth schemes
3309      * in an appropriate manner. In regular VNC, all the
3310      * TLS options get mapped into VNC_AUTH_VENCRYPT
3311      * sub-auth types.
3312      *
3313      * In websockets, the https:// protocol already provides
3314      * TLS support, so there is no need to make use of the
3315      * VeNCrypt extension. Furthermore, websockets browser
3316      * clients could not use VeNCrypt even if they wanted to,
3317      * as they cannot control when the TLS handshake takes
3318      * place. Thus there is no option but to rely on https://,
3319      * meaning combinations 4->6 and 7->9 will be mapped to
3320      * VNC auth schemes in the same way as combos 1->3.
3321      *
3322      * Regardless of fact that we have a different mapping to
3323      * VNC auth mechs for plain VNC vs websockets VNC, the end
3324      * result has the same security characteristics.
3325      */
3326     if (password) {
3327         if (vs->tlscreds) {
3328             vs->auth = VNC_AUTH_VENCRYPT;
3329             if (websocket) {
3330                 vs->ws_tls = true;
3331             }
3332             if (object_dynamic_cast(OBJECT(vs->tlscreds),
3333                                     TYPE_QCRYPTO_TLS_CREDS_X509)) {
3334                 VNC_DEBUG("Initializing VNC server with x509 password auth\n");
3335                 vs->subauth = VNC_AUTH_VENCRYPT_X509VNC;
3336             } else if (object_dynamic_cast(OBJECT(vs->tlscreds),
3337                                            TYPE_QCRYPTO_TLS_CREDS_ANON)) {
3338                 VNC_DEBUG("Initializing VNC server with TLS password auth\n");
3339                 vs->subauth = VNC_AUTH_VENCRYPT_TLSVNC;
3340             } else {
3341                 error_setg(errp,
3342                            "Unsupported TLS cred type %s",
3343                            object_get_typename(OBJECT(vs->tlscreds)));
3344                 return -1;
3345             }
3346         } else {
3347             VNC_DEBUG("Initializing VNC server with password auth\n");
3348             vs->auth = VNC_AUTH_VNC;
3349             vs->subauth = VNC_AUTH_INVALID;
3350         }
3351         if (websocket) {
3352             vs->ws_auth = VNC_AUTH_VNC;
3353         } else {
3354             vs->ws_auth = VNC_AUTH_INVALID;
3355         }
3356     } else if (sasl) {
3357         if (vs->tlscreds) {
3358             vs->auth = VNC_AUTH_VENCRYPT;
3359             if (websocket) {
3360                 vs->ws_tls = true;
3361             }
3362             if (object_dynamic_cast(OBJECT(vs->tlscreds),
3363                                     TYPE_QCRYPTO_TLS_CREDS_X509)) {
3364                 VNC_DEBUG("Initializing VNC server with x509 SASL auth\n");
3365                 vs->subauth = VNC_AUTH_VENCRYPT_X509SASL;
3366             } else if (object_dynamic_cast(OBJECT(vs->tlscreds),
3367                                            TYPE_QCRYPTO_TLS_CREDS_ANON)) {
3368                 VNC_DEBUG("Initializing VNC server with TLS SASL auth\n");
3369                 vs->subauth = VNC_AUTH_VENCRYPT_TLSSASL;
3370             } else {
3371                 error_setg(errp,
3372                            "Unsupported TLS cred type %s",
3373                            object_get_typename(OBJECT(vs->tlscreds)));
3374                 return -1;
3375             }
3376         } else {
3377             VNC_DEBUG("Initializing VNC server with SASL auth\n");
3378             vs->auth = VNC_AUTH_SASL;
3379             vs->subauth = VNC_AUTH_INVALID;
3380         }
3381         if (websocket) {
3382             vs->ws_auth = VNC_AUTH_SASL;
3383         } else {
3384             vs->ws_auth = VNC_AUTH_INVALID;
3385         }
3386     } else {
3387         if (vs->tlscreds) {
3388             vs->auth = VNC_AUTH_VENCRYPT;
3389             if (websocket) {
3390                 vs->ws_tls = true;
3391             }
3392             if (object_dynamic_cast(OBJECT(vs->tlscreds),
3393                                     TYPE_QCRYPTO_TLS_CREDS_X509)) {
3394                 VNC_DEBUG("Initializing VNC server with x509 no auth\n");
3395                 vs->subauth = VNC_AUTH_VENCRYPT_X509NONE;
3396             } else if (object_dynamic_cast(OBJECT(vs->tlscreds),
3397                                            TYPE_QCRYPTO_TLS_CREDS_ANON)) {
3398                 VNC_DEBUG("Initializing VNC server with TLS no auth\n");
3399                 vs->subauth = VNC_AUTH_VENCRYPT_TLSNONE;
3400             } else {
3401                 error_setg(errp,
3402                            "Unsupported TLS cred type %s",
3403                            object_get_typename(OBJECT(vs->tlscreds)));
3404                 return -1;
3405             }
3406         } else {
3407             VNC_DEBUG("Initializing VNC server with no auth\n");
3408             vs->auth = VNC_AUTH_NONE;
3409             vs->subauth = VNC_AUTH_INVALID;
3410         }
3411         if (websocket) {
3412             vs->ws_auth = VNC_AUTH_NONE;
3413         } else {
3414             vs->ws_auth = VNC_AUTH_INVALID;
3415         }
3416     }
3417     return 0;
3418 }
3419 
3420 
3421 /*
3422  * Handle back compat with old CLI syntax by creating some
3423  * suitable QCryptoTLSCreds objects
3424  */
3425 static QCryptoTLSCreds *
3426 vnc_display_create_creds(bool x509,
3427                          bool x509verify,
3428                          const char *dir,
3429                          const char *id,
3430                          Error **errp)
3431 {
3432     gchar *credsid = g_strdup_printf("tlsvnc%s", id);
3433     Object *parent = object_get_objects_root();
3434     Object *creds;
3435     Error *err = NULL;
3436 
3437     if (x509) {
3438         creds = object_new_with_props(TYPE_QCRYPTO_TLS_CREDS_X509,
3439                                       parent,
3440                                       credsid,
3441                                       &err,
3442                                       "endpoint", "server",
3443                                       "dir", dir,
3444                                       "verify-peer", x509verify ? "yes" : "no",
3445                                       NULL);
3446     } else {
3447         creds = object_new_with_props(TYPE_QCRYPTO_TLS_CREDS_ANON,
3448                                       parent,
3449                                       credsid,
3450                                       &err,
3451                                       "endpoint", "server",
3452                                       NULL);
3453     }
3454 
3455     g_free(credsid);
3456 
3457     if (err) {
3458         error_propagate(errp, err);
3459         return NULL;
3460     }
3461 
3462     return QCRYPTO_TLS_CREDS(creds);
3463 }
3464 
3465 
3466 void vnc_display_open(const char *id, Error **errp)
3467 {
3468     VncDisplay *vs = vnc_display_find(id);
3469     QemuOpts *opts = qemu_opts_find(&qemu_vnc_opts, id);
3470     SocketAddress *saddr = NULL, *wsaddr = NULL;
3471     const char *share, *device_id;
3472     QemuConsole *con;
3473     bool password = false;
3474     bool reverse = false;
3475     const char *vnc;
3476     char *h;
3477     const char *credid;
3478     bool sasl = false;
3479 #ifdef CONFIG_VNC_SASL
3480     int saslErr;
3481 #endif
3482     int acl = 0;
3483     int lock_key_sync = 1;
3484 
3485     if (!vs) {
3486         error_setg(errp, "VNC display not active");
3487         return;
3488     }
3489     vnc_display_close(vs);
3490 
3491     if (!opts) {
3492         return;
3493     }
3494     vnc = qemu_opt_get(opts, "vnc");
3495     if (!vnc || strcmp(vnc, "none") == 0) {
3496         return;
3497     }
3498 
3499     h = strrchr(vnc, ':');
3500     if (h) {
3501         size_t hlen = h - vnc;
3502 
3503         const char *websocket = qemu_opt_get(opts, "websocket");
3504         int to = qemu_opt_get_number(opts, "to", 0);
3505         bool has_ipv4 = qemu_opt_get(opts, "ipv4");
3506         bool has_ipv6 = qemu_opt_get(opts, "ipv6");
3507         bool ipv4 = qemu_opt_get_bool(opts, "ipv4", false);
3508         bool ipv6 = qemu_opt_get_bool(opts, "ipv6", false);
3509 
3510         saddr = g_new0(SocketAddress, 1);
3511         if (websocket) {
3512             if (!qcrypto_hash_supports(QCRYPTO_HASH_ALG_SHA1)) {
3513                 error_setg(errp,
3514                            "SHA1 hash support is required for websockets");
3515                 goto fail;
3516             }
3517 
3518             wsaddr = g_new0(SocketAddress, 1);
3519             vs->ws_enabled = true;
3520         }
3521 
3522         if (strncmp(vnc, "unix:", 5) == 0) {
3523             saddr->type = SOCKET_ADDRESS_KIND_UNIX;
3524             saddr->u.q_unix = g_new0(UnixSocketAddress, 1);
3525             saddr->u.q_unix->path = g_strdup(vnc + 5);
3526 
3527             if (vs->ws_enabled) {
3528                 error_setg(errp, "UNIX sockets not supported with websock");
3529                 goto fail;
3530             }
3531         } else {
3532             unsigned long long baseport;
3533             saddr->type = SOCKET_ADDRESS_KIND_INET;
3534             saddr->u.inet = g_new0(InetSocketAddress, 1);
3535             if (vnc[0] == '[' && vnc[hlen - 1] == ']') {
3536                 saddr->u.inet->host = g_strndup(vnc + 1, hlen - 2);
3537             } else {
3538                 saddr->u.inet->host = g_strndup(vnc, hlen);
3539             }
3540             if (parse_uint_full(h + 1, &baseport, 10) < 0) {
3541                 error_setg(errp, "can't convert to a number: %s", h + 1);
3542                 goto fail;
3543             }
3544             if (baseport > 65535 ||
3545                 baseport + 5900 > 65535) {
3546                 error_setg(errp, "port %s out of range", h + 1);
3547                 goto fail;
3548             }
3549             saddr->u.inet->port = g_strdup_printf(
3550                 "%d", (int)baseport + 5900);
3551 
3552             if (to) {
3553                 saddr->u.inet->has_to = true;
3554                 saddr->u.inet->to = to + 5900;
3555             }
3556             saddr->u.inet->ipv4 = ipv4;
3557             saddr->u.inet->has_ipv4 = has_ipv4;
3558             saddr->u.inet->ipv6 = ipv6;
3559             saddr->u.inet->has_ipv6 = has_ipv6;
3560 
3561             if (vs->ws_enabled) {
3562                 wsaddr->type = SOCKET_ADDRESS_KIND_INET;
3563                 wsaddr->u.inet = g_new0(InetSocketAddress, 1);
3564                 wsaddr->u.inet->host = g_strdup(saddr->u.inet->host);
3565                 wsaddr->u.inet->port = g_strdup(websocket);
3566 
3567                 if (to) {
3568                     wsaddr->u.inet->has_to = true;
3569                     wsaddr->u.inet->to = to;
3570                 }
3571                 wsaddr->u.inet->ipv4 = ipv4;
3572                 wsaddr->u.inet->has_ipv4 = has_ipv4;
3573                 wsaddr->u.inet->ipv6 = ipv6;
3574                 wsaddr->u.inet->has_ipv6 = has_ipv6;
3575             }
3576         }
3577     } else {
3578         error_setg(errp, "no vnc port specified");
3579         goto fail;
3580     }
3581 
3582     password = qemu_opt_get_bool(opts, "password", false);
3583     if (password) {
3584         if (fips_get_state()) {
3585             error_setg(errp,
3586                        "VNC password auth disabled due to FIPS mode, "
3587                        "consider using the VeNCrypt or SASL authentication "
3588                        "methods as an alternative");
3589             goto fail;
3590         }
3591         if (!qcrypto_cipher_supports(
3592                 QCRYPTO_CIPHER_ALG_DES_RFB)) {
3593             error_setg(errp,
3594                        "Cipher backend does not support DES RFB algorithm");
3595             goto fail;
3596         }
3597     }
3598 
3599     reverse = qemu_opt_get_bool(opts, "reverse", false);
3600     lock_key_sync = qemu_opt_get_bool(opts, "lock-key-sync", true);
3601     sasl = qemu_opt_get_bool(opts, "sasl", false);
3602 #ifndef CONFIG_VNC_SASL
3603     if (sasl) {
3604         error_setg(errp, "VNC SASL auth requires cyrus-sasl support");
3605         goto fail;
3606     }
3607 #endif /* CONFIG_VNC_SASL */
3608     credid = qemu_opt_get(opts, "tls-creds");
3609     if (credid) {
3610         Object *creds;
3611         if (qemu_opt_get(opts, "tls") ||
3612             qemu_opt_get(opts, "x509") ||
3613             qemu_opt_get(opts, "x509verify")) {
3614             error_setg(errp,
3615                        "'tls-creds' parameter is mutually exclusive with "
3616                        "'tls', 'x509' and 'x509verify' parameters");
3617             goto fail;
3618         }
3619 
3620         creds = object_resolve_path_component(
3621             object_get_objects_root(), credid);
3622         if (!creds) {
3623             error_setg(errp, "No TLS credentials with id '%s'",
3624                        credid);
3625             goto fail;
3626         }
3627         vs->tlscreds = (QCryptoTLSCreds *)
3628             object_dynamic_cast(creds,
3629                                 TYPE_QCRYPTO_TLS_CREDS);
3630         if (!vs->tlscreds) {
3631             error_setg(errp, "Object with id '%s' is not TLS credentials",
3632                        credid);
3633             goto fail;
3634         }
3635         object_ref(OBJECT(vs->tlscreds));
3636 
3637         if (vs->tlscreds->endpoint != QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) {
3638             error_setg(errp,
3639                        "Expecting TLS credentials with a server endpoint");
3640             goto fail;
3641         }
3642     } else {
3643         const char *path;
3644         bool tls = false, x509 = false, x509verify = false;
3645         tls  = qemu_opt_get_bool(opts, "tls", false);
3646         if (tls) {
3647             path = qemu_opt_get(opts, "x509");
3648 
3649             if (path) {
3650                 x509 = true;
3651             } else {
3652                 path = qemu_opt_get(opts, "x509verify");
3653                 if (path) {
3654                     x509 = true;
3655                     x509verify = true;
3656                 }
3657             }
3658             vs->tlscreds = vnc_display_create_creds(x509,
3659                                                     x509verify,
3660                                                     path,
3661                                                     vs->id,
3662                                                     errp);
3663             if (!vs->tlscreds) {
3664                 goto fail;
3665             }
3666         }
3667     }
3668     acl = qemu_opt_get_bool(opts, "acl", false);
3669 
3670     share = qemu_opt_get(opts, "share");
3671     if (share) {
3672         if (strcmp(share, "ignore") == 0) {
3673             vs->share_policy = VNC_SHARE_POLICY_IGNORE;
3674         } else if (strcmp(share, "allow-exclusive") == 0) {
3675             vs->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
3676         } else if (strcmp(share, "force-shared") == 0) {
3677             vs->share_policy = VNC_SHARE_POLICY_FORCE_SHARED;
3678         } else {
3679             error_setg(errp, "unknown vnc share= option");
3680             goto fail;
3681         }
3682     } else {
3683         vs->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
3684     }
3685     vs->connections_limit = qemu_opt_get_number(opts, "connections", 32);
3686 
3687 #ifdef CONFIG_VNC_JPEG
3688     vs->lossy = qemu_opt_get_bool(opts, "lossy", false);
3689 #endif
3690     vs->non_adaptive = qemu_opt_get_bool(opts, "non-adaptive", false);
3691     /* adaptive updates are only used with tight encoding and
3692      * if lossy updates are enabled so we can disable all the
3693      * calculations otherwise */
3694     if (!vs->lossy) {
3695         vs->non_adaptive = true;
3696     }
3697 
3698     if (acl) {
3699         if (strcmp(vs->id, "default") == 0) {
3700             vs->tlsaclname = g_strdup("vnc.x509dname");
3701         } else {
3702             vs->tlsaclname = g_strdup_printf("vnc.%s.x509dname", vs->id);
3703         }
3704         qemu_acl_init(vs->tlsaclname);
3705     }
3706 #ifdef CONFIG_VNC_SASL
3707     if (acl && sasl) {
3708         char *aclname;
3709 
3710         if (strcmp(vs->id, "default") == 0) {
3711             aclname = g_strdup("vnc.username");
3712         } else {
3713             aclname = g_strdup_printf("vnc.%s.username", vs->id);
3714         }
3715         vs->sasl.acl = qemu_acl_init(aclname);
3716         g_free(aclname);
3717     }
3718 #endif
3719 
3720     if (vnc_display_setup_auth(vs, password, sasl, vs->ws_enabled, errp) < 0) {
3721         goto fail;
3722     }
3723 
3724 #ifdef CONFIG_VNC_SASL
3725     if ((saslErr = sasl_server_init(NULL, "qemu")) != SASL_OK) {
3726         error_setg(errp, "Failed to initialize SASL auth: %s",
3727                    sasl_errstring(saslErr, NULL, NULL));
3728         goto fail;
3729     }
3730 #endif
3731     vs->lock_key_sync = lock_key_sync;
3732 
3733     device_id = qemu_opt_get(opts, "display");
3734     if (device_id) {
3735         DeviceState *dev;
3736         int head = qemu_opt_get_number(opts, "head", 0);
3737 
3738         dev = qdev_find_recursive(sysbus_get_default(), device_id);
3739         if (dev == NULL) {
3740             error_setg(errp, "Device '%s' not found", device_id);
3741             goto fail;
3742         }
3743 
3744         con = qemu_console_lookup_by_device(dev, head);
3745         if (con == NULL) {
3746             error_setg(errp, "Device %s is not bound to a QemuConsole",
3747                        device_id);
3748             goto fail;
3749         }
3750     } else {
3751         con = NULL;
3752     }
3753 
3754     if (con != vs->dcl.con) {
3755         unregister_displaychangelistener(&vs->dcl);
3756         vs->dcl.con = con;
3757         register_displaychangelistener(&vs->dcl);
3758     }
3759 
3760     if (reverse) {
3761         /* connect to viewer */
3762         QIOChannelSocket *sioc = NULL;
3763         vs->lsock = NULL;
3764         vs->lwebsock = NULL;
3765         if (vs->ws_enabled) {
3766             error_setg(errp, "Cannot use websockets in reverse mode");
3767             goto fail;
3768         }
3769         vs->is_unix = saddr->type == SOCKET_ADDRESS_KIND_UNIX;
3770         sioc = qio_channel_socket_new();
3771         if (qio_channel_socket_connect_sync(sioc, saddr, errp) < 0) {
3772             goto fail;
3773         }
3774         vnc_connect(vs, sioc, false, false);
3775         object_unref(OBJECT(sioc));
3776     } else {
3777         vs->lsock = qio_channel_socket_new();
3778         if (qio_channel_socket_listen_sync(vs->lsock, saddr, errp) < 0) {
3779             goto fail;
3780         }
3781         vs->is_unix = saddr->type == SOCKET_ADDRESS_KIND_UNIX;
3782         vs->enabled = true;
3783 
3784         if (vs->ws_enabled) {
3785             vs->lwebsock = qio_channel_socket_new();
3786             if (qio_channel_socket_listen_sync(vs->lwebsock,
3787                                                wsaddr, errp) < 0) {
3788                 object_unref(OBJECT(vs->lsock));
3789                 vs->lsock = NULL;
3790                 goto fail;
3791             }
3792         }
3793 
3794         vs->lsock_tag = qio_channel_add_watch(
3795             QIO_CHANNEL(vs->lsock),
3796             G_IO_IN, vnc_listen_io, vs, NULL);
3797         if (vs->ws_enabled) {
3798             vs->lwebsock_tag = qio_channel_add_watch(
3799                 QIO_CHANNEL(vs->lwebsock),
3800                 G_IO_IN, vnc_listen_io, vs, NULL);
3801         }
3802     }
3803 
3804     qapi_free_SocketAddress(saddr);
3805     qapi_free_SocketAddress(wsaddr);
3806     return;
3807 
3808 fail:
3809     qapi_free_SocketAddress(saddr);
3810     qapi_free_SocketAddress(wsaddr);
3811     vs->enabled = false;
3812     vs->ws_enabled = false;
3813 }
3814 
3815 void vnc_display_add_client(const char *id, int csock, bool skipauth)
3816 {
3817     VncDisplay *vs = vnc_display_find(id);
3818     QIOChannelSocket *sioc;
3819 
3820     if (!vs) {
3821         return;
3822     }
3823 
3824     sioc = qio_channel_socket_new_fd(csock, NULL);
3825     if (sioc) {
3826         vnc_connect(vs, sioc, skipauth, false);
3827         object_unref(OBJECT(sioc));
3828     }
3829 }
3830 
3831 static void vnc_auto_assign_id(QemuOptsList *olist, QemuOpts *opts)
3832 {
3833     int i = 2;
3834     char *id;
3835 
3836     id = g_strdup("default");
3837     while (qemu_opts_find(olist, id)) {
3838         g_free(id);
3839         id = g_strdup_printf("vnc%d", i++);
3840     }
3841     qemu_opts_set_id(opts, id);
3842 }
3843 
3844 QemuOpts *vnc_parse(const char *str, Error **errp)
3845 {
3846     QemuOptsList *olist = qemu_find_opts("vnc");
3847     QemuOpts *opts = qemu_opts_parse(olist, str, true, errp);
3848     const char *id;
3849 
3850     if (!opts) {
3851         return NULL;
3852     }
3853 
3854     id = qemu_opts_id(opts);
3855     if (!id) {
3856         /* auto-assign id if not present */
3857         vnc_auto_assign_id(olist, opts);
3858     }
3859     return opts;
3860 }
3861 
3862 int vnc_init_func(void *opaque, QemuOpts *opts, Error **errp)
3863 {
3864     Error *local_err = NULL;
3865     char *id = (char *)qemu_opts_id(opts);
3866 
3867     assert(id);
3868     vnc_display_init(id);
3869     vnc_display_open(id, &local_err);
3870     if (local_err != NULL) {
3871         error_reportf_err(local_err, "Failed to start VNC server: ");
3872         exit(1);
3873     }
3874     return 0;
3875 }
3876 
3877 static void vnc_register_config(void)
3878 {
3879     qemu_add_opts(&qemu_vnc_opts);
3880 }
3881 machine_init(vnc_register_config);
3882