1/*
2 * QEMU VNC display driver
3 *
4 * Copyright (C) 2006 Anthony Liguori <anthony@codemonkey.ws>
5 * Copyright (C) 2006 Fabrice Bellard
6 * Copyright (C) 2009 Red Hat, Inc
7 *
8 * Permission is hereby granted, free of charge, to any person obtaining a copy
9 * of this software and associated documentation files (the "Software"), to deal
10 * in the Software without restriction, including without limitation the rights
11 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
12 * copies of the Software, and to permit persons to whom the Software is
13 * furnished to do so, subject to the following conditions:
14 *
15 * The above copyright notice and this permission notice shall be included in
16 * all copies or substantial portions of the Software.
17 *
18 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
19 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
20 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
21 * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
22 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
23 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
24 * THE SOFTWARE.
25 */
26
27#include "qemu/osdep.h"
28#include "vnc.h"
29#include "vnc-jobs.h"
30#include "trace.h"
31#include "hw/qdev-core.h"
32#include "sysemu/sysemu.h"
33#include "qemu/error-report.h"
34#include "qemu/main-loop.h"
35#include "qemu/module.h"
36#include "qemu/option.h"
37#include "qemu/sockets.h"
38#include "qemu/timer.h"
39#include "authz/list.h"
40#include "qemu/config-file.h"
41#include "qapi/qapi-emit-events.h"
42#include "qapi/qapi-events-ui.h"
43#include "qapi/error.h"
44#include "qapi/qapi-commands-ui.h"
45#include "ui/input.h"
46#include "crypto/hash.h"
47#include "crypto/tlscredsanon.h"
48#include "crypto/tlscredsx509.h"
49#include "crypto/random.h"
50#include "qom/object_interfaces.h"
51#include "qemu/cutils.h"
52#include "io/dns-resolver.h"
53
54#define VNC_REFRESH_INTERVAL_BASE GUI_REFRESH_INTERVAL_DEFAULT
55#define VNC_REFRESH_INTERVAL_INC 50
56#define VNC_REFRESH_INTERVAL_MAX GUI_REFRESH_INTERVAL_IDLE
57static const struct timeval VNC_REFRESH_STATS = { 0, 500000 };
58static const struct timeval VNC_REFRESH_LOSSY = { 2, 0 };
59
60#include "vnc_keysym.h"
61#include "crypto/cipher.h"
62
63static QTAILQ_HEAD(, VncDisplay) vnc_displays =
64 QTAILQ_HEAD_INITIALIZER(vnc_displays);
65
66static int vnc_cursor_define(VncState *vs);
67static void vnc_update_throttle_offset(VncState *vs);
68
69static void vnc_set_share_mode(VncState *vs, VncShareMode mode)
70{
71#ifdef _VNC_DEBUG
72 static const char *mn[] = {
73 [0] = "undefined",
74 [VNC_SHARE_MODE_CONNECTING] = "connecting",
75 [VNC_SHARE_MODE_SHARED] = "shared",
76 [VNC_SHARE_MODE_EXCLUSIVE] = "exclusive",
77 [VNC_SHARE_MODE_DISCONNECTED] = "disconnected",
78 };
79 fprintf(stderr, "%s/%p: %s -> %s\n", __func__,
80 vs->ioc, mn[vs->share_mode], mn[mode]);
81#endif
82
83 switch (vs->share_mode) {
84 case VNC_SHARE_MODE_CONNECTING:
85 vs->vd->num_connecting--;
86 break;
87 case VNC_SHARE_MODE_SHARED:
88 vs->vd->num_shared--;
89 break;
90 case VNC_SHARE_MODE_EXCLUSIVE:
91 vs->vd->num_exclusive--;
92 break;
93 default:
94 break;
95 }
96
97 vs->share_mode = mode;
98
99 switch (vs->share_mode) {
100 case VNC_SHARE_MODE_CONNECTING:
101 vs->vd->num_connecting++;
102 break;
103 case VNC_SHARE_MODE_SHARED:
104 vs->vd->num_shared++;
105 break;
106 case VNC_SHARE_MODE_EXCLUSIVE:
107 vs->vd->num_exclusive++;
108 break;
109 default:
110 break;
111 }
112}
113
114
115static void vnc_init_basic_info(SocketAddress *addr,
116 VncBasicInfo *info,
117 Error **errp)
118{
119 switch (addr->type) {
120 case SOCKET_ADDRESS_TYPE_INET:
121 info->host = g_strdup(addr->u.inet.host);
122 info->service = g_strdup(addr->u.inet.port);
123 if (addr->u.inet.ipv6) {
124 info->family = NETWORK_ADDRESS_FAMILY_IPV6;
125 } else {
126 info->family = NETWORK_ADDRESS_FAMILY_IPV4;
127 }
128 break;
129
130 case SOCKET_ADDRESS_TYPE_UNIX:
131 info->host = g_strdup("");
132 info->service = g_strdup(addr->u.q_unix.path);
133 info->family = NETWORK_ADDRESS_FAMILY_UNIX;
134 break;
135
136 case SOCKET_ADDRESS_TYPE_VSOCK:
137 case SOCKET_ADDRESS_TYPE_FD:
138 error_setg(errp, "Unsupported socket address type %s",
139 SocketAddressType_str(addr->type));
140 break;
141 default:
142 abort();
143 }
144
145 return;
146}
147
148static void vnc_init_basic_info_from_server_addr(QIOChannelSocket *ioc,
149 VncBasicInfo *info,
150 Error **errp)
151{
152 SocketAddress *addr = NULL;
153
154 if (!ioc) {
155 error_setg(errp, "No listener socket available");
156 return;
157 }
158
159 addr = qio_channel_socket_get_local_address(ioc, errp);
160 if (!addr) {
161 return;
162 }
163
164 vnc_init_basic_info(addr, info, errp);
165 qapi_free_SocketAddress(addr);
166}
167
168static void vnc_init_basic_info_from_remote_addr(QIOChannelSocket *ioc,
169 VncBasicInfo *info,
170 Error **errp)
171{
172 SocketAddress *addr = NULL;
173
174 addr = qio_channel_socket_get_remote_address(ioc, errp);
175 if (!addr) {
176 return;
177 }
178
179 vnc_init_basic_info(addr, info, errp);
180 qapi_free_SocketAddress(addr);
181}
182
183static const char *vnc_auth_name(VncDisplay *vd) {
184 switch (vd->auth) {
185 case VNC_AUTH_INVALID:
186 return "invalid";
187 case VNC_AUTH_NONE:
188 return "none";
189 case VNC_AUTH_VNC:
190 return "vnc";
191 case VNC_AUTH_RA2:
192 return "ra2";
193 case VNC_AUTH_RA2NE:
194 return "ra2ne";
195 case VNC_AUTH_TIGHT:
196 return "tight";
197 case VNC_AUTH_ULTRA:
198 return "ultra";
199 case VNC_AUTH_TLS:
200 return "tls";
201 case VNC_AUTH_VENCRYPT:
202 switch (vd->subauth) {
203 case VNC_AUTH_VENCRYPT_PLAIN:
204 return "vencrypt+plain";
205 case VNC_AUTH_VENCRYPT_TLSNONE:
206 return "vencrypt+tls+none";
207 case VNC_AUTH_VENCRYPT_TLSVNC:
208 return "vencrypt+tls+vnc";
209 case VNC_AUTH_VENCRYPT_TLSPLAIN:
210 return "vencrypt+tls+plain";
211 case VNC_AUTH_VENCRYPT_X509NONE:
212 return "vencrypt+x509+none";
213 case VNC_AUTH_VENCRYPT_X509VNC:
214 return "vencrypt+x509+vnc";
215 case VNC_AUTH_VENCRYPT_X509PLAIN:
216 return "vencrypt+x509+plain";
217 case VNC_AUTH_VENCRYPT_TLSSASL:
218 return "vencrypt+tls+sasl";
219 case VNC_AUTH_VENCRYPT_X509SASL:
220 return "vencrypt+x509+sasl";
221 default:
222 return "vencrypt";
223 }
224 case VNC_AUTH_SASL:
225 return "sasl";
226 }
227 return "unknown";
228}
229
230static VncServerInfo *vnc_server_info_get(VncDisplay *vd)
231{
232 VncServerInfo *info;
233 Error *err = NULL;
234
235 if (!vd->listener || !vd->listener->nsioc) {
236 return NULL;
237 }
238
239 info = g_malloc0(sizeof(*info));
240 vnc_init_basic_info_from_server_addr(vd->listener->sioc[0],
241 qapi_VncServerInfo_base(info), &err);
242 info->has_auth = true;
243 info->auth = g_strdup(vnc_auth_name(vd));
244 if (err) {
245 qapi_free_VncServerInfo(info);
246 info = NULL;
247 error_free(err);
248 }
249 return info;
250}
251
252static void vnc_client_cache_auth(VncState *client)
253{
254 if (!client->info) {
255 return;
256 }
257
258 if (client->tls) {
259 client->info->x509_dname =
260 qcrypto_tls_session_get_peer_name(client->tls);
261 client->info->has_x509_dname =
262 client->info->x509_dname != NULL;
263 }
264#ifdef CONFIG_VNC_SASL
265 if (client->sasl.conn &&
266 client->sasl.username) {
267 client->info->has_sasl_username = true;
268 client->info->sasl_username = g_strdup(client->sasl.username);
269 }
270#endif
271}
272
273static void vnc_client_cache_addr(VncState *client)
274{
275 Error *err = NULL;
276
277 client->info = g_malloc0(sizeof(*client->info));
278 vnc_init_basic_info_from_remote_addr(client->sioc,
279 qapi_VncClientInfo_base(client->info),
280 &err);
281 if (err) {
282 qapi_free_VncClientInfo(client->info);
283 client->info = NULL;
284 error_free(err);
285 }
286}
287
288static void vnc_qmp_event(VncState *vs, QAPIEvent event)
289{
290 VncServerInfo *si;
291
292 if (!vs->info) {
293 return;
294 }
295
296 si = vnc_server_info_get(vs->vd);
297 if (!si) {
298 return;
299 }
300
301 switch (event) {
302 case QAPI_EVENT_VNC_CONNECTED:
303 qapi_event_send_vnc_connected(si, qapi_VncClientInfo_base(vs->info));
304 break;
305 case QAPI_EVENT_VNC_INITIALIZED:
306 qapi_event_send_vnc_initialized(si, vs->info);
307 break;
308 case QAPI_EVENT_VNC_DISCONNECTED:
309 qapi_event_send_vnc_disconnected(si, vs->info);
310 break;
311 default:
312 break;
313 }
314
315 qapi_free_VncServerInfo(si);
316}
317
318static VncClientInfo *qmp_query_vnc_client(const VncState *client)
319{
320 VncClientInfo *info;
321 Error *err = NULL;
322
323 info = g_malloc0(sizeof(*info));
324
325 vnc_init_basic_info_from_remote_addr(client->sioc,
326 qapi_VncClientInfo_base(info),
327 &err);
328 if (err) {
329 error_free(err);
330 qapi_free_VncClientInfo(info);
331 return NULL;
332 }
333
334 info->websocket = client->websocket;
335
336 if (client->tls) {
337 info->x509_dname = qcrypto_tls_session_get_peer_name(client->tls);
338 info->has_x509_dname = info->x509_dname != NULL;
339 }
340#ifdef CONFIG_VNC_SASL
341 if (client->sasl.conn && client->sasl.username) {
342 info->has_sasl_username = true;
343 info->sasl_username = g_strdup(client->sasl.username);
344 }
345#endif
346
347 return info;
348}
349
350static VncDisplay *vnc_display_find(const char *id)
351{
352 VncDisplay *vd;
353
354 if (id == NULL) {
355 return QTAILQ_FIRST(&vnc_displays);
356 }
357 QTAILQ_FOREACH(vd, &vnc_displays, next) {
358 if (strcmp(id, vd->id) == 0) {
359 return vd;
360 }
361 }
362 return NULL;
363}
364
365static VncClientInfoList *qmp_query_client_list(VncDisplay *vd)
366{
367 VncClientInfoList *cinfo, *prev = NULL;
368 VncState *client;
369
370 QTAILQ_FOREACH(client, &vd->clients, next) {
371 cinfo = g_new0(VncClientInfoList, 1);
372 cinfo->value = qmp_query_vnc_client(client);
373 cinfo->next = prev;
374 prev = cinfo;
375 }
376 return prev;
377}
378
379VncInfo *qmp_query_vnc(Error **errp)
380{
381 VncInfo *info = g_malloc0(sizeof(*info));
382 VncDisplay *vd = vnc_display_find(NULL);
383 SocketAddress *addr = NULL;
384
385 if (vd == NULL || !vd->listener || !vd->listener->nsioc) {
386 info->enabled = false;
387 } else {
388 info->enabled = true;
389
390 /* for compatibility with the original command */
391 info->has_clients = true;
392 info->clients = qmp_query_client_list(vd);
393
394 addr = qio_channel_socket_get_local_address(vd->listener->sioc[0],
395 errp);
396 if (!addr) {
397 goto out_error;
398 }
399
400 switch (addr->type) {
401 case SOCKET_ADDRESS_TYPE_INET:
402 info->host = g_strdup(addr->u.inet.host);
403 info->service = g_strdup(addr->u.inet.port);
404 if (addr->u.inet.ipv6) {
405 info->family = NETWORK_ADDRESS_FAMILY_IPV6;
406 } else {
407 info->family = NETWORK_ADDRESS_FAMILY_IPV4;
408 }
409 break;
410
411 case SOCKET_ADDRESS_TYPE_UNIX:
412 info->host = g_strdup("");
413 info->service = g_strdup(addr->u.q_unix.path);
414 info->family = NETWORK_ADDRESS_FAMILY_UNIX;
415 break;
416
417 case SOCKET_ADDRESS_TYPE_VSOCK:
418 case SOCKET_ADDRESS_TYPE_FD:
419 error_setg(errp, "Unsupported socket address type %s",
420 SocketAddressType_str(addr->type));
421 goto out_error;
422 default:
423 abort();
424 }
425
426 info->has_host = true;
427 info->has_service = true;
428 info->has_family = true;
429
430 info->has_auth = true;
431 info->auth = g_strdup(vnc_auth_name(vd));
432 }
433
434 qapi_free_SocketAddress(addr);
435 return info;
436
437out_error:
438 qapi_free_SocketAddress(addr);
439 qapi_free_VncInfo(info);
440 return NULL;
441}
442
443
444static void qmp_query_auth(int auth, int subauth,
445 VncPrimaryAuth *qmp_auth,
446 VncVencryptSubAuth *qmp_vencrypt,
447 bool *qmp_has_vencrypt);
448
449static VncServerInfo2List *qmp_query_server_entry(QIOChannelSocket *ioc,
450 bool websocket,
451 int auth,
452 int subauth,
453 VncServerInfo2List *prev)
454{
455 VncServerInfo2List *list;
456 VncServerInfo2 *info;
457 Error *err = NULL;
458 SocketAddress *addr;
459
460 addr = qio_channel_socket_get_local_address(ioc, &err);
461 if (!addr) {
462 error_free(err);
463 return prev;
464 }
465
466 info = g_new0(VncServerInfo2, 1);
467 vnc_init_basic_info(addr, qapi_VncServerInfo2_base(info), &err);
468 qapi_free_SocketAddress(addr);
469 if (err) {
470 qapi_free_VncServerInfo2(info);
471 error_free(err);
472 return prev;
473 }
474 info->websocket = websocket;
475
476 qmp_query_auth(auth, subauth, &info->auth,
477 &info->vencrypt, &info->has_vencrypt);
478
479 list = g_new0(VncServerInfo2List, 1);
480 list->value = info;
481 list->next = prev;
482 return list;
483}
484
485static void qmp_query_auth(int auth, int subauth,
486 VncPrimaryAuth *qmp_auth,
487 VncVencryptSubAuth *qmp_vencrypt,
488 bool *qmp_has_vencrypt)
489{
490 switch (auth) {
491 case VNC_AUTH_VNC:
492 *qmp_auth = VNC_PRIMARY_AUTH_VNC;
493 break;
494 case VNC_AUTH_RA2:
495 *qmp_auth = VNC_PRIMARY_AUTH_RA2;
496 break;
497 case VNC_AUTH_RA2NE:
498 *qmp_auth = VNC_PRIMARY_AUTH_RA2NE;
499 break;
500 case VNC_AUTH_TIGHT:
501 *qmp_auth = VNC_PRIMARY_AUTH_TIGHT;
502 break;
503 case VNC_AUTH_ULTRA:
504 *qmp_auth = VNC_PRIMARY_AUTH_ULTRA;
505 break;
506 case VNC_AUTH_TLS:
507 *qmp_auth = VNC_PRIMARY_AUTH_TLS;
508 break;
509 case VNC_AUTH_VENCRYPT:
510 *qmp_auth = VNC_PRIMARY_AUTH_VENCRYPT;
511 *qmp_has_vencrypt = true;
512 switch (subauth) {
513 case VNC_AUTH_VENCRYPT_PLAIN:
514 *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_PLAIN;
515 break;
516 case VNC_AUTH_VENCRYPT_TLSNONE:
517 *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_NONE;
518 break;
519 case VNC_AUTH_VENCRYPT_TLSVNC:
520 *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_VNC;
521 break;
522 case VNC_AUTH_VENCRYPT_TLSPLAIN:
523 *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_PLAIN;
524 break;
525 case VNC_AUTH_VENCRYPT_X509NONE:
526 *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_NONE;
527 break;
528 case VNC_AUTH_VENCRYPT_X509VNC:
529 *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_VNC;
530 break;
531 case VNC_AUTH_VENCRYPT_X509PLAIN:
532 *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_PLAIN;
533 break;
534 case VNC_AUTH_VENCRYPT_TLSSASL:
535 *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_TLS_SASL;
536 break;
537 case VNC_AUTH_VENCRYPT_X509SASL:
538 *qmp_vencrypt = VNC_VENCRYPT_SUB_AUTH_X509_SASL;
539 break;
540 default:
541 *qmp_has_vencrypt = false;
542 break;
543 }
544 break;
545 case VNC_AUTH_SASL:
546 *qmp_auth = VNC_PRIMARY_AUTH_SASL;
547 break;
548 case VNC_AUTH_NONE:
549 default:
550 *qmp_auth = VNC_PRIMARY_AUTH_NONE;
551 break;
552 }
553}
554
555VncInfo2List *qmp_query_vnc_servers(Error **errp)
556{
557 VncInfo2List *item, *prev = NULL;
558 VncInfo2 *info;
559 VncDisplay *vd;
560 DeviceState *dev;
561 size_t i;
562
563 QTAILQ_FOREACH(vd, &vnc_displays, next) {
564 info = g_new0(VncInfo2, 1);
565 info->id = g_strdup(vd->id);
566 info->clients = qmp_query_client_list(vd);
567 qmp_query_auth(vd->auth, vd->subauth, &info->auth,
568 &info->vencrypt, &info->has_vencrypt);
569 if (vd->dcl.con) {
570 dev = DEVICE(object_property_get_link(OBJECT(vd->dcl.con),
571 "device", NULL));
572 info->has_display = true;
573 info->display = g_strdup(dev->id);
574 }
575 for (i = 0; vd->listener != NULL && i < vd->listener->nsioc; i++) {
576 info->server = qmp_query_server_entry(
577 vd->listener->sioc[i], false, vd->auth, vd->subauth,
578 info->server);
579 }
580 for (i = 0; vd->wslistener != NULL && i < vd->wslistener->nsioc; i++) {
581 info->server = qmp_query_server_entry(
582 vd->wslistener->sioc[i], true, vd->ws_auth,
583 vd->ws_subauth, info->server);
584 }
585
586 item = g_new0(VncInfo2List, 1);
587 item->value = info;
588 item->next = prev;
589 prev = item;
590 }
591 return prev;
592}
593
594/* TODO
595 1) Get the queue working for IO.
596 2) there is some weirdness when using the -S option (the screen is grey
597 and not totally invalidated
598 3) resolutions > 1024
599*/
600
601static int vnc_update_client(VncState *vs, int has_dirty);
602static void vnc_disconnect_start(VncState *vs);
603
604static void vnc_colordepth(VncState *vs);
605static void framebuffer_update_request(VncState *vs, int incremental,
606 int x_position, int y_position,
607 int w, int h);
608static void vnc_refresh(DisplayChangeListener *dcl);
609static int vnc_refresh_server_surface(VncDisplay *vd);
610
611static int vnc_width(VncDisplay *vd)
612{
613 return MIN(VNC_MAX_WIDTH, ROUND_UP(surface_width(vd->ds),
614 VNC_DIRTY_PIXELS_PER_BIT));
615}
616
617static int vnc_height(VncDisplay *vd)
618{
619 return MIN(VNC_MAX_HEIGHT, surface_height(vd->ds));
620}
621
622static void vnc_set_area_dirty(DECLARE_BITMAP(dirty[VNC_MAX_HEIGHT],
623 VNC_MAX_WIDTH / VNC_DIRTY_PIXELS_PER_BIT),
624 VncDisplay *vd,
625 int x, int y, int w, int h)
626{
627 int width = vnc_width(vd);
628 int height = vnc_height(vd);
629
630 /* this is needed this to ensure we updated all affected
631 * blocks if x % VNC_DIRTY_PIXELS_PER_BIT != 0 */
632 w += (x % VNC_DIRTY_PIXELS_PER_BIT);
633 x -= (x % VNC_DIRTY_PIXELS_PER_BIT);
634
635 x = MIN(x, width);
636 y = MIN(y, height);
637 w = MIN(x + w, width) - x;
638 h = MIN(y + h, height);
639
640 for (; y < h; y++) {
641 bitmap_set(dirty[y], x / VNC_DIRTY_PIXELS_PER_BIT,
642 DIV_ROUND_UP(w, VNC_DIRTY_PIXELS_PER_BIT));
643 }
644}
645
646static void vnc_dpy_update(DisplayChangeListener *dcl,
647 int x, int y, int w, int h)
648{
649 VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
650 struct VncSurface *s = &vd->guest;
651
652 vnc_set_area_dirty(s->dirty, vd, x, y, w, h);
653}
654
655void vnc_framebuffer_update(VncState *vs, int x, int y, int w, int h,
656 int32_t encoding)
657{
658 vnc_write_u16(vs, x);
659 vnc_write_u16(vs, y);
660 vnc_write_u16(vs, w);
661 vnc_write_u16(vs, h);
662
663 vnc_write_s32(vs, encoding);
664}
665
666
667static void vnc_desktop_resize(VncState *vs)
668{
669 if (vs->ioc == NULL || !vnc_has_feature(vs, VNC_FEATURE_RESIZE)) {
670 return;
671 }
672 if (vs->client_width == pixman_image_get_width(vs->vd->server) &&
673 vs->client_height == pixman_image_get_height(vs->vd->server)) {
674 return;
675 }
676
677 assert(pixman_image_get_width(vs->vd->server) < 65536 &&
678 pixman_image_get_width(vs->vd->server) >= 0);
679 assert(pixman_image_get_height(vs->vd->server) < 65536 &&
680 pixman_image_get_height(vs->vd->server) >= 0);
681 vs->client_width = pixman_image_get_width(vs->vd->server);
682 vs->client_height = pixman_image_get_height(vs->vd->server);
683 vnc_lock_output(vs);
684 vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
685 vnc_write_u8(vs, 0);
686 vnc_write_u16(vs, 1); /* number of rects */
687 vnc_framebuffer_update(vs, 0, 0, vs->client_width, vs->client_height,
688 VNC_ENCODING_DESKTOPRESIZE);
689 vnc_unlock_output(vs);
690 vnc_flush(vs);
691}
692
693static void vnc_abort_display_jobs(VncDisplay *vd)
694{
695 VncState *vs;
696
697 QTAILQ_FOREACH(vs, &vd->clients, next) {
698 vnc_lock_output(vs);
699 vs->abort = true;
700 vnc_unlock_output(vs);
701 }
702 QTAILQ_FOREACH(vs, &vd->clients, next) {
703 vnc_jobs_join(vs);
704 }
705 QTAILQ_FOREACH(vs, &vd->clients, next) {
706 vnc_lock_output(vs);
707 if (vs->update == VNC_STATE_UPDATE_NONE &&
708 vs->job_update != VNC_STATE_UPDATE_NONE) {
709 /* job aborted before completion */
710 vs->update = vs->job_update;
711 vs->job_update = VNC_STATE_UPDATE_NONE;
712 }
713 vs->abort = false;
714 vnc_unlock_output(vs);
715 }
716}
717
718int vnc_server_fb_stride(VncDisplay *vd)
719{
720 return pixman_image_get_stride(vd->server);
721}
722
723void *vnc_server_fb_ptr(VncDisplay *vd, int x, int y)
724{
725 uint8_t *ptr;
726
727 ptr = (uint8_t *)pixman_image_get_data(vd->server);
728 ptr += y * vnc_server_fb_stride(vd);
729 ptr += x * VNC_SERVER_FB_BYTES;
730 return ptr;
731}
732
733static void vnc_update_server_surface(VncDisplay *vd)
734{
735 int width, height;
736
737 qemu_pixman_image_unref(vd->server);
738 vd->server = NULL;
739
740 if (QTAILQ_EMPTY(&vd->clients)) {
741 return;
742 }
743
744 width = vnc_width(vd);
745 height = vnc_height(vd);
746 vd->server = pixman_image_create_bits(VNC_SERVER_FB_FORMAT,
747 width, height,
748 NULL, 0);
749
750 memset(vd->guest.dirty, 0x00, sizeof(vd->guest.dirty));
751 vnc_set_area_dirty(vd->guest.dirty, vd, 0, 0,
752 width, height);
753}
754
755static bool vnc_check_pageflip(DisplaySurface *s1,
756 DisplaySurface *s2)
757{
758 return (s1 != NULL &&
759 s2 != NULL &&
760 surface_width(s1) == surface_width(s2) &&
761 surface_height(s1) == surface_height(s2) &&
762 surface_format(s1) == surface_format(s2));
763
764}
765
766static void vnc_dpy_switch(DisplayChangeListener *dcl,
767 DisplaySurface *surface)
768{
769 static const char placeholder_msg[] =
770 "Display output is not active.";
771 static DisplaySurface *placeholder;
772 VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
773 bool pageflip = vnc_check_pageflip(vd->ds, surface);
774 VncState *vs;
775
776 if (surface == NULL) {
777 if (placeholder == NULL) {
778 placeholder = qemu_create_message_surface(640, 480, placeholder_msg);
779 }
780 surface = placeholder;
781 }
782
783 vnc_abort_display_jobs(vd);
784 vd->ds = surface;
785
786 /* guest surface */
787 qemu_pixman_image_unref(vd->guest.fb);
788 vd->guest.fb = pixman_image_ref(surface->image);
789 vd->guest.format = surface->format;
790
791 if (pageflip) {
792 vnc_set_area_dirty(vd->guest.dirty, vd, 0, 0,
793 surface_width(surface),
794 surface_height(surface));
795 return;
796 }
797
798 /* server surface */
799 vnc_update_server_surface(vd);
800
801 QTAILQ_FOREACH(vs, &vd->clients, next) {
802 vnc_colordepth(vs);
803 vnc_desktop_resize(vs);
804 if (vs->vd->cursor) {
805 vnc_cursor_define(vs);
806 }
807 memset(vs->dirty, 0x00, sizeof(vs->dirty));
808 vnc_set_area_dirty(vs->dirty, vd, 0, 0,
809 vnc_width(vd),
810 vnc_height(vd));
811 vnc_update_throttle_offset(vs);
812 }
813}
814
815/* fastest code */
816static void vnc_write_pixels_copy(VncState *vs,
817 void *pixels, int size)
818{
819 vnc_write(vs, pixels, size);
820}
821
822/* slowest but generic code. */
823void vnc_convert_pixel(VncState *vs, uint8_t *buf, uint32_t v)
824{
825 uint8_t r, g, b;
826
827#if VNC_SERVER_FB_FORMAT == PIXMAN_FORMAT(32, PIXMAN_TYPE_ARGB, 0, 8, 8, 8)
828 r = (((v & 0x00ff0000) >> 16) << vs->client_pf.rbits) >> 8;
829 g = (((v & 0x0000ff00) >> 8) << vs->client_pf.gbits) >> 8;
830 b = (((v & 0x000000ff) >> 0) << vs->client_pf.bbits) >> 8;
831#else
832# error need some bits here if you change VNC_SERVER_FB_FORMAT
833#endif
834 v = (r << vs->client_pf.rshift) |
835 (g << vs->client_pf.gshift) |
836 (b << vs->client_pf.bshift);
837 switch (vs->client_pf.bytes_per_pixel) {
838 case 1:
839 buf[0] = v;
840 break;
841 case 2:
842 if (vs->client_be) {
843 buf[0] = v >> 8;
844 buf[1] = v;
845 } else {
846 buf[1] = v >> 8;
847 buf[0] = v;
848 }
849 break;
850 default:
851 case 4:
852 if (vs->client_be) {
853 buf[0] = v >> 24;
854 buf[1] = v >> 16;
855 buf[2] = v >> 8;
856 buf[3] = v;
857 } else {
858 buf[3] = v >> 24;
859 buf[2] = v >> 16;
860 buf[1] = v >> 8;
861 buf[0] = v;
862 }
863 break;
864 }
865}
866
867static void vnc_write_pixels_generic(VncState *vs,
868 void *pixels1, int size)
869{
870 uint8_t buf[4];
871
872 if (VNC_SERVER_FB_BYTES == 4) {
873 uint32_t *pixels = pixels1;
874 int n, i;
875 n = size >> 2;
876 for (i = 0; i < n; i++) {
877 vnc_convert_pixel(vs, buf, pixels[i]);
878 vnc_write(vs, buf, vs->client_pf.bytes_per_pixel);
879 }
880 }
881}
882
883int vnc_raw_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
884{
885 int i;
886 uint8_t *row;
887 VncDisplay *vd = vs->vd;
888
889 row = vnc_server_fb_ptr(vd, x, y);
890 for (i = 0; i < h; i++) {
891 vs->write_pixels(vs, row, w * VNC_SERVER_FB_BYTES);
892 row += vnc_server_fb_stride(vd);
893 }
894 return 1;
895}
896
897int vnc_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
898{
899 int n = 0;
900 bool encode_raw = false;
901 size_t saved_offs = vs->output.offset;
902
903 switch(vs->vnc_encoding) {
904 case VNC_ENCODING_ZLIB:
905 n = vnc_zlib_send_framebuffer_update(vs, x, y, w, h);
906 break;
907 case VNC_ENCODING_HEXTILE:
908 vnc_framebuffer_update(vs, x, y, w, h, VNC_ENCODING_HEXTILE);
909 n = vnc_hextile_send_framebuffer_update(vs, x, y, w, h);
910 break;
911 case VNC_ENCODING_TIGHT:
912 n = vnc_tight_send_framebuffer_update(vs, x, y, w, h);
913 break;
914 case VNC_ENCODING_TIGHT_PNG:
915 n = vnc_tight_png_send_framebuffer_update(vs, x, y, w, h);
916 break;
917 case VNC_ENCODING_ZRLE:
918 n = vnc_zrle_send_framebuffer_update(vs, x, y, w, h);
919 break;
920 case VNC_ENCODING_ZYWRLE:
921 n = vnc_zywrle_send_framebuffer_update(vs, x, y, w, h);
922 break;
923 default:
924 encode_raw = true;
925 break;
926 }
927
928 /* If the client has the same pixel format as our internal buffer and
929 * a RAW encoding would need less space fall back to RAW encoding to
930 * save bandwidth and processing power in the client. */
931 if (!encode_raw && vs->write_pixels == vnc_write_pixels_copy &&
932 12 + h * w * VNC_SERVER_FB_BYTES <= (vs->output.offset - saved_offs)) {
933 vs->output.offset = saved_offs;
934 encode_raw = true;
935 }
936
937 if (encode_raw) {
938 vnc_framebuffer_update(vs, x, y, w, h, VNC_ENCODING_RAW);
939 n = vnc_raw_send_framebuffer_update(vs, x, y, w, h);
940 }
941
942 return n;
943}
944
945static void vnc_mouse_set(DisplayChangeListener *dcl,
946 int x, int y, int visible)
947{
948 /* can we ask the client(s) to move the pointer ??? */
949}
950
951static int vnc_cursor_define(VncState *vs)
952{
953 QEMUCursor *c = vs->vd->cursor;
954 int isize;
955
956 if (vnc_has_feature(vs, VNC_FEATURE_RICH_CURSOR)) {
957 vnc_lock_output(vs);
958 vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
959 vnc_write_u8(vs, 0); /* padding */
960 vnc_write_u16(vs, 1); /* # of rects */
961 vnc_framebuffer_update(vs, c->hot_x, c->hot_y, c->width, c->height,
962 VNC_ENCODING_RICH_CURSOR);
963 isize = c->width * c->height * vs->client_pf.bytes_per_pixel;
964 vnc_write_pixels_generic(vs, c->data, isize);
965 vnc_write(vs, vs->vd->cursor_mask, vs->vd->cursor_msize);
966 vnc_unlock_output(vs);
967 return 0;
968 }
969 return -1;
970}
971
972static void vnc_dpy_cursor_define(DisplayChangeListener *dcl,
973 QEMUCursor *c)
974{
975 VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
976 VncState *vs;
977
978 cursor_put(vd->cursor);
979 g_free(vd->cursor_mask);
980
981 vd->cursor = c;
982 cursor_get(vd->cursor);
983 vd->cursor_msize = cursor_get_mono_bpl(c) * c->height;
984 vd->cursor_mask = g_malloc0(vd->cursor_msize);
985 cursor_get_mono_mask(c, 0, vd->cursor_mask);
986
987 QTAILQ_FOREACH(vs, &vd->clients, next) {
988 vnc_cursor_define(vs);
989 }
990}
991
992static int find_and_clear_dirty_height(VncState *vs,
993 int y, int last_x, int x, int height)
994{
995 int h;
996
997 for (h = 1; h < (height - y); h++) {
998 if (!test_bit(last_x, vs->dirty[y + h])) {
999 break;
1000 }
1001 bitmap_clear(vs->dirty[y + h], last_x, x - last_x);
1002 }
1003
1004 return h;
1005}
1006
1007/*
1008 * Figure out how much pending data we should allow in the output
1009 * buffer before we throttle incremental display updates, and/or
1010 * drop audio samples.
1011 *
1012 * We allow for equiv of 1 full display's worth of FB updates,
1013 * and 1 second of audio samples. If audio backlog was larger
1014 * than that the client would already suffering awful audio
1015 * glitches, so dropping samples is no worse really).
1016 */
1017static void vnc_update_throttle_offset(VncState *vs)
1018{
1019 size_t offset =
1020 vs->client_width * vs->client_height * vs->client_pf.bytes_per_pixel;
1021
1022 if (vs->audio_cap) {
1023 int bps;
1024 switch (vs->as.fmt) {
1025 default:
1026 case AUDIO_FORMAT_U8:
1027 case AUDIO_FORMAT_S8:
1028 bps = 1;
1029 break;
1030 case AUDIO_FORMAT_U16:
1031 case AUDIO_FORMAT_S16:
1032 bps = 2;
1033 break;
1034 case AUDIO_FORMAT_U32:
1035 case AUDIO_FORMAT_S32:
1036 bps = 4;
1037 break;
1038 }
1039 offset += vs->as.freq * bps * vs->as.nchannels;
1040 }
1041
1042 /* Put a floor of 1MB on offset, so that if we have a large pending
1043 * buffer and the display is resized to a small size & back again
1044 * we don't suddenly apply a tiny send limit
1045 */
1046 offset = MAX(offset, 1024 * 1024);
1047
1048 if (vs->throttle_output_offset != offset) {
1049 trace_vnc_client_throttle_threshold(
1050 vs, vs->ioc, vs->throttle_output_offset, offset, vs->client_width,
1051 vs->client_height, vs->client_pf.bytes_per_pixel, vs->audio_cap);
1052 }
1053
1054 vs->throttle_output_offset = offset;
1055}
1056
1057static bool vnc_should_update(VncState *vs)
1058{
1059 switch (vs->update) {
1060 case VNC_STATE_UPDATE_NONE:
1061 break;
1062 case VNC_STATE_UPDATE_INCREMENTAL:
1063 /* Only allow incremental updates if the pending send queue
1064 * is less than the permitted threshold, and the job worker
1065 * is completely idle.
1066 */
1067 if (vs->output.offset < vs->throttle_output_offset &&
1068 vs->job_update == VNC_STATE_UPDATE_NONE) {
1069 return true;
1070 }
1071 trace_vnc_client_throttle_incremental(
1072 vs, vs->ioc, vs->job_update, vs->output.offset);
1073 break;
1074 case VNC_STATE_UPDATE_FORCE:
1075 /* Only allow forced updates if the pending send queue
1076 * does not contain a previous forced update, and the
1077 * job worker is completely idle.
1078 *
1079 * Note this means we'll queue a forced update, even if
1080 * the output buffer size is otherwise over the throttle
1081 * output limit.
1082 */
1083 if (vs->force_update_offset == 0 &&
1084 vs->job_update == VNC_STATE_UPDATE_NONE) {
1085 return true;
1086 }
1087 trace_vnc_client_throttle_forced(
1088 vs, vs->ioc, vs->job_update, vs->force_update_offset);
1089 break;
1090 }
1091 return false;
1092}
1093
1094static int vnc_update_client(VncState *vs, int has_dirty)
1095{
1096 VncDisplay *vd = vs->vd;
1097 VncJob *job;
1098 int y;
1099 int height, width;
1100 int n = 0;
1101
1102 if (vs->disconnecting) {
1103 vnc_disconnect_finish(vs);
1104 return 0;
1105 }
1106
1107 vs->has_dirty += has_dirty;
1108 if (!vnc_should_update(vs)) {
1109 return 0;
1110 }
1111
1112 if (!vs->has_dirty && vs->update != VNC_STATE_UPDATE_FORCE) {
1113 return 0;
1114 }
1115
1116 /*
1117 * Send screen updates to the vnc client using the server
1118 * surface and server dirty map. guest surface updates
1119 * happening in parallel don't disturb us, the next pass will
1120 * send them to the client.
1121 */
1122 job = vnc_job_new(vs);
1123
1124 height = pixman_image_get_height(vd->server);
1125 width = pixman_image_get_width(vd->server);
1126
1127 y = 0;
1128 for (;;) {
1129 int x, h;
1130 unsigned long x2;
1131 unsigned long offset = find_next_bit((unsigned long *) &vs->dirty,
1132 height * VNC_DIRTY_BPL(vs),
1133 y * VNC_DIRTY_BPL(vs));
1134 if (offset == height * VNC_DIRTY_BPL(vs)) {
1135 /* no more dirty bits */
1136 break;
1137 }
1138 y = offset / VNC_DIRTY_BPL(vs);
1139 x = offset % VNC_DIRTY_BPL(vs);
1140 x2 = find_next_zero_bit((unsigned long *) &vs->dirty[y],
1141 VNC_DIRTY_BPL(vs), x);
1142 bitmap_clear(vs->dirty[y], x, x2 - x);
1143 h = find_and_clear_dirty_height(vs, y, x, x2, height);
1144 x2 = MIN(x2, width / VNC_DIRTY_PIXELS_PER_BIT);
1145 if (x2 > x) {
1146 n += vnc_job_add_rect(job, x * VNC_DIRTY_PIXELS_PER_BIT, y,
1147 (x2 - x) * VNC_DIRTY_PIXELS_PER_BIT, h);
1148 }
1149 if (!x && x2 == width / VNC_DIRTY_PIXELS_PER_BIT) {
1150 y += h;
1151 if (y == height) {
1152 break;
1153 }
1154 }
1155 }
1156
1157 vs->job_update = vs->update;
1158 vs->update = VNC_STATE_UPDATE_NONE;
1159 vnc_job_push(job);
1160 vs->has_dirty = 0;
1161 return n;
1162}
1163
1164/* audio */
1165static void audio_capture_notify(void *opaque, audcnotification_e cmd)
1166{
1167 VncState *vs = opaque;
1168
1169 assert(vs->magic == VNC_MAGIC);
1170 switch (cmd) {
1171 case AUD_CNOTIFY_DISABLE:
1172 vnc_lock_output(vs);
1173 vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
1174 vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
1175 vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_END);
1176 vnc_unlock_output(vs);
1177 vnc_flush(vs);
1178 break;
1179
1180 case AUD_CNOTIFY_ENABLE:
1181 vnc_lock_output(vs);
1182 vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
1183 vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
1184 vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_BEGIN);
1185 vnc_unlock_output(vs);
1186 vnc_flush(vs);
1187 break;
1188 }
1189}
1190
1191static void audio_capture_destroy(void *opaque)
1192{
1193}
1194
1195static void audio_capture(void *opaque, void *buf, int size)
1196{
1197 VncState *vs = opaque;
1198
1199 assert(vs->magic == VNC_MAGIC);
1200 vnc_lock_output(vs);
1201 if (vs->output.offset < vs->throttle_output_offset) {
1202 vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
1203 vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
1204 vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_DATA);
1205 vnc_write_u32(vs, size);
1206 vnc_write(vs, buf, size);
1207 } else {
1208 trace_vnc_client_throttle_audio(vs, vs->ioc, vs->output.offset);
1209 }
1210 vnc_unlock_output(vs);
1211 vnc_flush(vs);
1212}
1213
1214static void audio_add(VncState *vs)
1215{
1216 struct audio_capture_ops ops;
1217
1218 if (vs->audio_cap) {
1219 error_report("audio already running");
1220 return;
1221 }
1222
1223 ops.notify = audio_capture_notify;
1224 ops.destroy = audio_capture_destroy;
1225 ops.capture = audio_capture;
1226
1227 vs->audio_cap = AUD_add_capture(vs->vd->audio_state, &vs->as, &ops, vs);
1228 if (!vs->audio_cap) {
1229 error_report("Failed to add audio capture");
1230 }
1231}
1232
1233static void audio_del(VncState *vs)
1234{
1235 if (vs->audio_cap) {
1236 AUD_del_capture(vs->audio_cap, vs);
1237 vs->audio_cap = NULL;
1238 }
1239}
1240
1241static void vnc_disconnect_start(VncState *vs)
1242{
1243 if (vs->disconnecting) {
1244 return;
1245 }
1246 trace_vnc_client_disconnect_start(vs, vs->ioc);
1247 vnc_set_share_mode(vs, VNC_SHARE_MODE_DISCONNECTED);
1248 if (vs->ioc_tag) {
1249 g_source_remove(vs->ioc_tag);
1250 vs->ioc_tag = 0;
1251 }
1252 qio_channel_close(vs->ioc, NULL);
1253 vs->disconnecting = TRUE;
1254}
1255
1256void vnc_disconnect_finish(VncState *vs)
1257{
1258 int i;
1259
1260 trace_vnc_client_disconnect_finish(vs, vs->ioc);
1261
1262 vnc_jobs_join(vs); /* Wait encoding jobs */
1263
1264 vnc_lock_output(vs);
1265 vnc_qmp_event(vs, QAPI_EVENT_VNC_DISCONNECTED);
1266
1267 buffer_free(&vs->input);
1268 buffer_free(&vs->output);
1269
1270 qapi_free_VncClientInfo(vs->info);
1271
1272 vnc_zlib_clear(vs);
1273 vnc_tight_clear(vs);
1274 vnc_zrle_clear(vs);
1275
1276#ifdef CONFIG_VNC_SASL
1277 vnc_sasl_client_cleanup(vs);
1278#endif /* CONFIG_VNC_SASL */
1279 audio_del(vs);
1280 qkbd_state_lift_all_keys(vs->vd->kbd);
1281
1282 if (vs->mouse_mode_notifier.notify != NULL) {
1283 qemu_remove_mouse_mode_change_notifier(&vs->mouse_mode_notifier);
1284 }
1285 QTAILQ_REMOVE(&vs->vd->clients, vs, next);
1286 if (QTAILQ_EMPTY(&vs->vd->clients)) {
1287 /* last client gone */
1288 vnc_update_server_surface(vs->vd);
1289 }
1290
1291 vnc_unlock_output(vs);
1292
1293 qemu_mutex_destroy(&vs->output_mutex);
1294 if (vs->bh != NULL) {
1295 qemu_bh_delete(vs->bh);
1296 }
1297 buffer_free(&vs->jobs_buffer);
1298
1299 for (i = 0; i < VNC_STAT_ROWS; ++i) {
1300 g_free(vs->lossy_rect[i]);
1301 }
1302 g_free(vs->lossy_rect);
1303
1304 object_unref(OBJECT(vs->ioc));
1305 vs->ioc = NULL;
1306 object_unref(OBJECT(vs->sioc));
1307 vs->sioc = NULL;
1308 vs->magic = 0;
1309 g_free(vs);
1310}
1311
1312size_t vnc_client_io_error(VncState *vs, ssize_t ret, Error **errp)
1313{
1314 if (ret <= 0) {
1315 if (ret == 0) {
1316 trace_vnc_client_eof(vs, vs->ioc);
1317 vnc_disconnect_start(vs);
1318 } else if (ret != QIO_CHANNEL_ERR_BLOCK) {
1319 trace_vnc_client_io_error(vs, vs->ioc,
1320 errp ? error_get_pretty(*errp) :
1321 "Unknown");
1322 vnc_disconnect_start(vs);
1323 }
1324
1325 if (errp) {
1326 error_free(*errp);
1327 *errp = NULL;
1328 }
1329 return 0;
1330 }
1331 return ret;
1332}
1333
1334
1335void vnc_client_error(VncState *vs)
1336{
1337 VNC_DEBUG("Closing down client sock: protocol error\n");
1338 vnc_disconnect_start(vs);
1339}
1340
1341
1342/*
1343 * Called to write a chunk of data to the client socket. The data may
1344 * be the raw data, or may have already been encoded by SASL.
1345 * The data will be written either straight onto the socket, or
1346 * written via the GNUTLS wrappers, if TLS/SSL encryption is enabled
1347 *
1348 * NB, it is theoretically possible to have 2 layers of encryption,
1349 * both SASL, and this TLS layer. It is highly unlikely in practice
1350 * though, since SASL encryption will typically be a no-op if TLS
1351 * is active
1352 *
1353 * Returns the number of bytes written, which may be less than
1354 * the requested 'datalen' if the socket would block. Returns
1355 * 0 on I/O error, and disconnects the client socket.
1356 */
1357size_t vnc_client_write_buf(VncState *vs, const uint8_t *data, size_t datalen)
1358{
1359 Error *err = NULL;
1360 ssize_t ret;
1361 ret = qio_channel_write(
1362 vs->ioc, (const char *)data, datalen, &err);
1363 VNC_DEBUG("Wrote wire %p %zd -> %ld\n", data, datalen, ret);
1364 return vnc_client_io_error(vs, ret, &err);
1365}
1366
1367
1368/*
1369 * Called to write buffered data to the client socket, when not
1370 * using any SASL SSF encryption layers. Will write as much data
1371 * as possible without blocking. If all buffered data is written,
1372 * will switch the FD poll() handler back to read monitoring.
1373 *
1374 * Returns the number of bytes written, which may be less than
1375 * the buffered output data if the socket would block. Returns
1376 * 0 on I/O error, and disconnects the client socket.
1377 */
1378static size_t vnc_client_write_plain(VncState *vs)
1379{
1380 size_t offset;
1381 size_t ret;
1382
1383#ifdef CONFIG_VNC_SASL
1384 VNC_DEBUG("Write Plain: Pending output %p size %zd offset %zd. Wait SSF %d\n",
1385 vs->output.buffer, vs->output.capacity, vs->output.offset,
1386 vs->sasl.waitWriteSSF);
1387
1388 if (vs->sasl.conn &&
1389 vs->sasl.runSSF &&
1390 vs->sasl.waitWriteSSF) {
1391 ret = vnc_client_write_buf(vs, vs->output.buffer, vs->sasl.waitWriteSSF);
1392 if (ret)
1393 vs->sasl.waitWriteSSF -= ret;
1394 } else
1395#endif /* CONFIG_VNC_SASL */
1396 ret = vnc_client_write_buf(vs, vs->output.buffer, vs->output.offset);
1397 if (!ret)
1398 return 0;
1399
1400 if (ret >= vs->force_update_offset) {
1401 if (vs->force_update_offset != 0) {
1402 trace_vnc_client_unthrottle_forced(vs, vs->ioc);
1403 }
1404 vs->force_update_offset = 0;
1405 } else {
1406 vs->force_update_offset -= ret;
1407 }
1408 offset = vs->output.offset;
1409 buffer_advance(&vs->output, ret);
1410 if (offset >= vs->throttle_output_offset &&
1411 vs->output.offset < vs->throttle_output_offset) {
1412 trace_vnc_client_unthrottle_incremental(vs, vs->ioc, vs->output.offset);
1413 }
1414
1415 if (vs->output.offset == 0) {
1416 if (vs->ioc_tag) {
1417 g_source_remove(vs->ioc_tag);
1418 }
1419 vs->ioc_tag = qio_channel_add_watch(
1420 vs->ioc, G_IO_IN, vnc_client_io, vs, NULL);
1421 }
1422
1423 return ret;
1424}
1425
1426
1427/*
1428 * First function called whenever there is data to be written to
1429 * the client socket. Will delegate actual work according to whether
1430 * SASL SSF layers are enabled (thus requiring encryption calls)
1431 */
1432static void vnc_client_write_locked(VncState *vs)
1433{
1434#ifdef CONFIG_VNC_SASL
1435 if (vs->sasl.conn &&
1436 vs->sasl.runSSF &&
1437 !vs->sasl.waitWriteSSF) {
1438 vnc_client_write_sasl(vs);
1439 } else
1440#endif /* CONFIG_VNC_SASL */
1441 {
1442 vnc_client_write_plain(vs);
1443 }
1444}
1445
1446static void vnc_client_write(VncState *vs)
1447{
1448 assert(vs->magic == VNC_MAGIC);
1449 vnc_lock_output(vs);
1450 if (vs->output.offset) {
1451 vnc_client_write_locked(vs);
1452 } else if (vs->ioc != NULL) {
1453 if (vs->ioc_tag) {
1454 g_source_remove(vs->ioc_tag);
1455 }
1456 vs->ioc_tag = qio_channel_add_watch(
1457 vs->ioc, G_IO_IN, vnc_client_io, vs, NULL);
1458 }
1459 vnc_unlock_output(vs);
1460}
1461
1462void vnc_read_when(VncState *vs, VncReadEvent *func, size_t expecting)
1463{
1464 vs->read_handler = func;
1465 vs->read_handler_expect = expecting;
1466}
1467
1468
1469/*
1470 * Called to read a chunk of data from the client socket. The data may
1471 * be the raw data, or may need to be further decoded by SASL.
1472 * The data will be read either straight from to the socket, or
1473 * read via the GNUTLS wrappers, if TLS/SSL encryption is enabled
1474 *
1475 * NB, it is theoretically possible to have 2 layers of encryption,
1476 * both SASL, and this TLS layer. It is highly unlikely in practice
1477 * though, since SASL encryption will typically be a no-op if TLS
1478 * is active
1479 *
1480 * Returns the number of bytes read, which may be less than
1481 * the requested 'datalen' if the socket would block. Returns
1482 * 0 on I/O error or EOF, and disconnects the client socket.
1483 */
1484size_t vnc_client_read_buf(VncState *vs, uint8_t *data, size_t datalen)
1485{
1486 ssize_t ret;
1487 Error *err = NULL;
1488 ret = qio_channel_read(
1489 vs->ioc, (char *)data, datalen, &err);
1490 VNC_DEBUG("Read wire %p %zd -> %ld\n", data, datalen, ret);
1491 return vnc_client_io_error(vs, ret, &err);
1492}
1493
1494
1495/*
1496 * Called to read data from the client socket to the input buffer,
1497 * when not using any SASL SSF encryption layers. Will read as much
1498 * data as possible without blocking.
1499 *
1500 * Returns the number of bytes read, which may be less than
1501 * the requested 'datalen' if the socket would block. Returns
1502 * 0 on I/O error or EOF, and disconnects the client socket.
1503 */
1504static size_t vnc_client_read_plain(VncState *vs)
1505{
1506 size_t ret;
1507 VNC_DEBUG("Read plain %p size %zd offset %zd\n",
1508 vs->input.buffer, vs->input.capacity, vs->input.offset);
1509 buffer_reserve(&vs->input, 4096);
1510 ret = vnc_client_read_buf(vs, buffer_end(&vs->input), 4096);
1511 if (!ret)
1512 return 0;
1513 vs->input.offset += ret;
1514 return ret;
1515}
1516
1517static void vnc_jobs_bh(void *opaque)
1518{
1519 VncState *vs = opaque;
1520
1521 assert(vs->magic == VNC_MAGIC);
1522 vnc_jobs_consume_buffer(vs);
1523}
1524
1525/*
1526 * First function called whenever there is more data to be read from
1527 * the client socket. Will delegate actual work according to whether
1528 * SASL SSF layers are enabled (thus requiring decryption calls)
1529 * Returns 0 on success, -1 if client disconnected
1530 */
1531static int vnc_client_read(VncState *vs)
1532{
1533 size_t ret;
1534
1535#ifdef CONFIG_VNC_SASL
1536 if (vs->sasl.conn && vs->sasl.runSSF)
1537 ret = vnc_client_read_sasl(vs);
1538 else
1539#endif /* CONFIG_VNC_SASL */
1540 ret = vnc_client_read_plain(vs);
1541 if (!ret) {
1542 if (vs->disconnecting) {
1543 vnc_disconnect_finish(vs);
1544 return -1;
1545 }
1546 return 0;
1547 }
1548
1549 while (vs->read_handler && vs->input.offset >= vs->read_handler_expect) {
1550 size_t len = vs->read_handler_expect;
1551 int ret;
1552
1553 ret = vs->read_handler(vs, vs->input.buffer, len);
1554 if (vs->disconnecting) {
1555 vnc_disconnect_finish(vs);
1556 return -1;
1557 }
1558
1559 if (!ret) {
1560 buffer_advance(&vs->input, len);
1561 } else {
1562 vs->read_handler_expect = ret;
1563 }
1564 }
1565 return 0;
1566}
1567
1568gboolean vnc_client_io(QIOChannel *ioc G_GNUC_UNUSED,
1569 GIOCondition condition, void *opaque)
1570{
1571 VncState *vs = opaque;
1572
1573 assert(vs->magic == VNC_MAGIC);
1574 if (condition & G_IO_IN) {
1575 if (vnc_client_read(vs) < 0) {
1576 /* vs is free()ed here */
1577 return TRUE;
1578 }
1579 }
1580 if (condition & G_IO_OUT) {
1581 vnc_client_write(vs);
1582 }
1583
1584 if (vs->disconnecting) {
1585 if (vs->ioc_tag != 0) {
1586 g_source_remove(vs->ioc_tag);
1587 }
1588 vs->ioc_tag = 0;
1589 }
1590 return TRUE;
1591}
1592
1593
1594/*
1595 * Scale factor to apply to vs->throttle_output_offset when checking for
1596 * hard limit. Worst case normal usage could be x2, if we have a complete
1597 * incremental update and complete forced update in the output buffer.
1598 * So x3 should be good enough, but we pick x5 to be conservative and thus
1599 * (hopefully) never trigger incorrectly.
1600 */
1601#define VNC_THROTTLE_OUTPUT_LIMIT_SCALE 5
1602
1603void vnc_write(VncState *vs, const void *data, size_t len)
1604{
1605 assert(vs->magic == VNC_MAGIC);
1606 if (vs->disconnecting) {
1607 return;
1608 }
1609 /* Protection against malicious client/guest to prevent our output
1610 * buffer growing without bound if client stops reading data. This
1611 * should rarely trigger, because we have earlier throttling code
1612 * which stops issuing framebuffer updates and drops audio data
1613 * if the throttle_output_offset value is exceeded. So we only reach
1614 * this higher level if a huge number of pseudo-encodings get
1615 * triggered while data can't be sent on the socket.
1616 *
1617 * NB throttle_output_offset can be zero during early protocol
1618 * handshake, or from the job thread's VncState clone
1619 */
1620 if (vs->throttle_output_offset != 0 &&
1621 (vs->output.offset / VNC_THROTTLE_OUTPUT_LIMIT_SCALE) >
1622 vs->throttle_output_offset) {
1623 trace_vnc_client_output_limit(vs, vs->ioc, vs->output.offset,
1624 vs->throttle_output_offset);
1625 vnc_disconnect_start(vs);
1626 return;
1627 }
1628 buffer_reserve(&vs->output, len);
1629
1630 if (vs->ioc != NULL && buffer_empty(&vs->output)) {
1631 if (vs->ioc_tag) {
1632 g_source_remove(vs->ioc_tag);
1633 }
1634 vs->ioc_tag = qio_channel_add_watch(
1635 vs->ioc, G_IO_IN | G_IO_OUT, vnc_client_io, vs, NULL);
1636 }
1637
1638 buffer_append(&vs->output, data, len);
1639}
1640
1641void vnc_write_s32(VncState *vs, int32_t value)
1642{
1643 vnc_write_u32(vs, *(uint32_t *)&value);
1644}
1645
1646void vnc_write_u32(VncState *vs, uint32_t value)
1647{
1648 uint8_t buf[4];
1649
1650 buf[0] = (value >> 24) & 0xFF;
1651 buf[1] = (value >> 16) & 0xFF;
1652 buf[2] = (value >> 8) & 0xFF;
1653 buf[3] = value & 0xFF;
1654
1655 vnc_write(vs, buf, 4);
1656}
1657
1658void vnc_write_u16(VncState *vs, uint16_t value)
1659{
1660 uint8_t buf[2];
1661
1662 buf[0] = (value >> 8) & 0xFF;
1663 buf[1] = value & 0xFF;
1664
1665 vnc_write(vs, buf, 2);
1666}
1667
1668void vnc_write_u8(VncState *vs, uint8_t value)
1669{
1670 vnc_write(vs, (char *)&value, 1);
1671}
1672
1673void vnc_flush(VncState *vs)
1674{
1675 vnc_lock_output(vs);
1676 if (vs->ioc != NULL && vs->output.offset) {
1677 vnc_client_write_locked(vs);
1678 }
1679 if (vs->disconnecting) {
1680 if (vs->ioc_tag != 0) {
1681 g_source_remove(vs->ioc_tag);
1682 }
1683 vs->ioc_tag = 0;
1684 }
1685 vnc_unlock_output(vs);
1686}
1687
1688static uint8_t read_u8(uint8_t *data, size_t offset)
1689{
1690 return data[offset];
1691}
1692
1693static uint16_t read_u16(uint8_t *data, size_t offset)
1694{
1695 return ((data[offset] & 0xFF) << 8) | (data[offset + 1] & 0xFF);
1696}
1697
1698static int32_t read_s32(uint8_t *data, size_t offset)
1699{
1700 return (int32_t)((data[offset] << 24) | (data[offset + 1] << 16) |
1701 (data[offset + 2] << 8) | data[offset + 3]);
1702}
1703
1704uint32_t read_u32(uint8_t *data, size_t offset)
1705{
1706 return ((data[offset] << 24) | (data[offset + 1] << 16) |
1707 (data[offset + 2] << 8) | data[offset + 3]);
1708}
1709
1710static void client_cut_text(VncState *vs, size_t len, uint8_t *text)
1711{
1712}
1713
1714static void check_pointer_type_change(Notifier *notifier, void *data)
1715{
1716 VncState *vs = container_of(notifier, VncState, mouse_mode_notifier);
1717 int absolute = qemu_input_is_absolute();
1718
1719 if (vnc_has_feature(vs, VNC_FEATURE_POINTER_TYPE_CHANGE) && vs->absolute != absolute) {
1720 vnc_lock_output(vs);
1721 vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1722 vnc_write_u8(vs, 0);
1723 vnc_write_u16(vs, 1);
1724 vnc_framebuffer_update(vs, absolute, 0,
1725 pixman_image_get_width(vs->vd->server),
1726 pixman_image_get_height(vs->vd->server),
1727 VNC_ENCODING_POINTER_TYPE_CHANGE);
1728 vnc_unlock_output(vs);
1729 vnc_flush(vs);
1730 }
1731 vs->absolute = absolute;
1732}
1733
1734static void pointer_event(VncState *vs, int button_mask, int x, int y)
1735{
1736 static uint32_t bmap[INPUT_BUTTON__MAX] = {
1737 [INPUT_BUTTON_LEFT] = 0x01,
1738 [INPUT_BUTTON_MIDDLE] = 0x02,
1739 [INPUT_BUTTON_RIGHT] = 0x04,
1740 [INPUT_BUTTON_WHEEL_UP] = 0x08,
1741 [INPUT_BUTTON_WHEEL_DOWN] = 0x10,
1742 };
1743 QemuConsole *con = vs->vd->dcl.con;
1744 int width = pixman_image_get_width(vs->vd->server);
1745 int height = pixman_image_get_height(vs->vd->server);
1746
1747 if (vs->last_bmask != button_mask) {
1748 qemu_input_update_buttons(con, bmap, vs->last_bmask, button_mask);
1749 vs->last_bmask = button_mask;
1750 }
1751
1752 if (vs->absolute) {
1753 qemu_input_queue_abs(con, INPUT_AXIS_X, x, 0, width);
1754 qemu_input_queue_abs(con, INPUT_AXIS_Y, y, 0, height);
1755 } else if (vnc_has_feature(vs, VNC_FEATURE_POINTER_TYPE_CHANGE)) {
1756 qemu_input_queue_rel(con, INPUT_AXIS_X, x - 0x7FFF);
1757 qemu_input_queue_rel(con, INPUT_AXIS_Y, y - 0x7FFF);
1758 } else {
1759 if (vs->last_x != -1) {
1760 qemu_input_queue_rel(con, INPUT_AXIS_X, x - vs->last_x);
1761 qemu_input_queue_rel(con, INPUT_AXIS_Y, y - vs->last_y);
1762 }
1763 vs->last_x = x;
1764 vs->last_y = y;
1765 }
1766 qemu_input_event_sync();
1767}
1768
1769static void press_key(VncState *vs, QKeyCode qcode)
1770{
1771 qkbd_state_key_event(vs->vd->kbd, qcode, true);
1772 qkbd_state_key_event(vs->vd->kbd, qcode, false);
1773}
1774
1775static void vnc_led_state_change(VncState *vs)
1776{
1777 if (!vnc_has_feature(vs, VNC_FEATURE_LED_STATE)) {
1778 return;
1779 }
1780
1781 vnc_lock_output(vs);
1782 vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
1783 vnc_write_u8(vs, 0);
1784 vnc_write_u16(vs, 1);
1785 vnc_framebuffer_update(vs, 0, 0, 1, 1, VNC_ENCODING_LED_STATE);
1786 vnc_write_u8(vs, vs->vd->ledstate);
1787 vnc_unlock_output(vs);
1788 vnc_flush(vs);
1789}
1790
1791static void kbd_leds(void *opaque, int ledstate)
1792{
1793 VncDisplay *vd = opaque;
1794 VncState *client;
1795
1796 trace_vnc_key_guest_leds((ledstate & QEMU_CAPS_LOCK_LED),
1797 (ledstate & QEMU_NUM_LOCK_LED),
1798 (ledstate & QEMU_SCROLL_LOCK_LED));
1799
1800 if (ledstate == vd->ledstate) {
1801 return;
1802 }
1803
1804 vd->ledstate = ledstate;
1805
1806 QTAILQ_FOREACH(client, &vd->clients, next) {
1807 vnc_led_state_change(client);
1808 }
1809}
1810
1811static void do_key_event(VncState *vs, int down, int keycode, int sym)
1812{
1813 QKeyCode qcode = qemu_input_key_number_to_qcode(keycode);
1814
1815 /* QEMU console switch */
1816 switch (qcode) {
1817 case Q_KEY_CODE_1 ... Q_KEY_CODE_9: /* '1' to '9' keys */
1818 if (vs->vd->dcl.con == NULL && down &&
1819 qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_CTRL) &&
1820 qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_ALT)) {
1821 /* Reset the modifiers sent to the current console */
1822 qkbd_state_lift_all_keys(vs->vd->kbd);
1823 console_select(qcode - Q_KEY_CODE_1);
1824 return;
1825 }
1826 default:
1827 break;
1828 }
1829
1830 /* Turn off the lock state sync logic if the client support the led
1831 state extension.
1832 */
1833 if (down && vs->vd->lock_key_sync &&
1834 !vnc_has_feature(vs, VNC_FEATURE_LED_STATE) &&
1835 keycode_is_keypad(vs->vd->kbd_layout, keycode)) {
1836 /* If the numlock state needs to change then simulate an additional
1837 keypress before sending this one. This will happen if the user
1838 toggles numlock away from the VNC window.
1839 */
1840 if (keysym_is_numlock(vs->vd->kbd_layout, sym & 0xFFFF)) {
1841 if (!qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_NUMLOCK)) {
1842 trace_vnc_key_sync_numlock(true);
1843 press_key(vs, Q_KEY_CODE_NUM_LOCK);
1844 }
1845 } else {
1846 if (qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_NUMLOCK)) {
1847 trace_vnc_key_sync_numlock(false);
1848 press_key(vs, Q_KEY_CODE_NUM_LOCK);
1849 }
1850 }
1851 }
1852
1853 if (down && vs->vd->lock_key_sync &&
1854 !vnc_has_feature(vs, VNC_FEATURE_LED_STATE) &&
1855 ((sym >= 'A' && sym <= 'Z') || (sym >= 'a' && sym <= 'z'))) {
1856 /* If the capslock state needs to change then simulate an additional
1857 keypress before sending this one. This will happen if the user
1858 toggles capslock away from the VNC window.
1859 */
1860 int uppercase = !!(sym >= 'A' && sym <= 'Z');
1861 bool shift = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_SHIFT);
1862 bool capslock = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_CAPSLOCK);
1863 if (capslock) {
1864 if (uppercase == shift) {
1865 trace_vnc_key_sync_capslock(false);
1866 press_key(vs, Q_KEY_CODE_CAPS_LOCK);
1867 }
1868 } else {
1869 if (uppercase != shift) {
1870 trace_vnc_key_sync_capslock(true);
1871 press_key(vs, Q_KEY_CODE_CAPS_LOCK);
1872 }
1873 }
1874 }
1875
1876 qkbd_state_key_event(vs->vd->kbd, qcode, down);
1877 if (!qemu_console_is_graphic(NULL)) {
1878 bool numlock = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_NUMLOCK);
1879 bool control = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_CTRL);
1880 /* QEMU console emulation */
1881 if (down) {
1882 switch (keycode) {
1883 case 0x2a: /* Left Shift */
1884 case 0x36: /* Right Shift */
1885 case 0x1d: /* Left CTRL */
1886 case 0x9d: /* Right CTRL */
1887 case 0x38: /* Left ALT */
1888 case 0xb8: /* Right ALT */
1889 break;
1890 case 0xc8:
1891 kbd_put_keysym(QEMU_KEY_UP);
1892 break;
1893 case 0xd0:
1894 kbd_put_keysym(QEMU_KEY_DOWN);
1895 break;
1896 case 0xcb:
1897 kbd_put_keysym(QEMU_KEY_LEFT);
1898 break;
1899 case 0xcd:
1900 kbd_put_keysym(QEMU_KEY_RIGHT);
1901 break;
1902 case 0xd3:
1903 kbd_put_keysym(QEMU_KEY_DELETE);
1904 break;
1905 case 0xc7:
1906 kbd_put_keysym(QEMU_KEY_HOME);
1907 break;
1908 case 0xcf:
1909 kbd_put_keysym(QEMU_KEY_END);
1910 break;
1911 case 0xc9:
1912 kbd_put_keysym(QEMU_KEY_PAGEUP);
1913 break;
1914 case 0xd1:
1915 kbd_put_keysym(QEMU_KEY_PAGEDOWN);
1916 break;
1917
1918 case 0x47:
1919 kbd_put_keysym(numlock ? '7' : QEMU_KEY_HOME);
1920 break;
1921 case 0x48:
1922 kbd_put_keysym(numlock ? '8' : QEMU_KEY_UP);
1923 break;
1924 case 0x49:
1925 kbd_put_keysym(numlock ? '9' : QEMU_KEY_PAGEUP);
1926 break;
1927 case 0x4b:
1928 kbd_put_keysym(numlock ? '4' : QEMU_KEY_LEFT);
1929 break;
1930 case 0x4c:
1931 kbd_put_keysym('5');
1932 break;
1933 case 0x4d:
1934 kbd_put_keysym(numlock ? '6' : QEMU_KEY_RIGHT);
1935 break;
1936 case 0x4f:
1937 kbd_put_keysym(numlock ? '1' : QEMU_KEY_END);
1938 break;
1939 case 0x50:
1940 kbd_put_keysym(numlock ? '2' : QEMU_KEY_DOWN);
1941 break;
1942 case 0x51:
1943 kbd_put_keysym(numlock ? '3' : QEMU_KEY_PAGEDOWN);
1944 break;
1945 case 0x52:
1946 kbd_put_keysym('0');
1947 break;
1948 case 0x53:
1949 kbd_put_keysym(numlock ? '.' : QEMU_KEY_DELETE);
1950 break;
1951
1952 case 0xb5:
1953 kbd_put_keysym('/');
1954 break;
1955 case 0x37:
1956 kbd_put_keysym('*');
1957 break;
1958 case 0x4a:
1959 kbd_put_keysym('-');
1960 break;
1961 case 0x4e:
1962 kbd_put_keysym('+');
1963 break;
1964 case 0x9c:
1965 kbd_put_keysym('\n');
1966 break;
1967
1968 default:
1969 if (control) {
1970 kbd_put_keysym(sym & 0x1f);
1971 } else {
1972 kbd_put_keysym(sym);
1973 }
1974 break;
1975 }
1976 }
1977 }
1978}
1979
1980static const char *code2name(int keycode)
1981{
1982 return QKeyCode_str(qemu_input_key_number_to_qcode(keycode));
1983}
1984
1985static void key_event(VncState *vs, int down, uint32_t sym)
1986{
1987 int keycode;
1988 int lsym = sym;
1989
1990 if (lsym >= 'A' && lsym <= 'Z' && qemu_console_is_graphic(NULL)) {
1991 lsym = lsym - 'A' + 'a';
1992 }
1993
1994 keycode = keysym2scancode(vs->vd->kbd_layout, lsym & 0xFFFF,
1995 vs->vd->kbd, down) & SCANCODE_KEYMASK;
1996 trace_vnc_key_event_map(down, sym, keycode, code2name(keycode));
1997 do_key_event(vs, down, keycode, sym);
1998}
1999
2000static void ext_key_event(VncState *vs, int down,
2001 uint32_t sym, uint16_t keycode)
2002{
2003 /* if the user specifies a keyboard layout, always use it */
2004 if (keyboard_layout) {
2005 key_event(vs, down, sym);
2006 } else {
2007 trace_vnc_key_event_ext(down, sym, keycode, code2name(keycode));
2008 do_key_event(vs, down, keycode, sym);
2009 }
2010}
2011
2012static void framebuffer_update_request(VncState *vs, int incremental,
2013 int x, int y, int w, int h)
2014{
2015 if (incremental) {
2016 if (vs->update != VNC_STATE_UPDATE_FORCE) {
2017 vs->update = VNC_STATE_UPDATE_INCREMENTAL;
2018 }
2019 } else {
2020 vs->update = VNC_STATE_UPDATE_FORCE;
2021 vnc_set_area_dirty(vs->dirty, vs->vd, x, y, w, h);
2022 }
2023}
2024
2025static void send_ext_key_event_ack(VncState *vs)
2026{
2027 vnc_lock_output(vs);
2028 vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
2029 vnc_write_u8(vs, 0);
2030 vnc_write_u16(vs, 1);
2031 vnc_framebuffer_update(vs, 0, 0,
2032 pixman_image_get_width(vs->vd->server),
2033 pixman_image_get_height(vs->vd->server),
2034 VNC_ENCODING_EXT_KEY_EVENT);
2035 vnc_unlock_output(vs);
2036 vnc_flush(vs);
2037}
2038
2039static void send_ext_audio_ack(VncState *vs)
2040{
2041 vnc_lock_output(vs);
2042 vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
2043 vnc_write_u8(vs, 0);
2044 vnc_write_u16(vs, 1);
2045 vnc_framebuffer_update(vs, 0, 0,
2046 pixman_image_get_width(vs->vd->server),
2047 pixman_image_get_height(vs->vd->server),
2048 VNC_ENCODING_AUDIO);
2049 vnc_unlock_output(vs);
2050 vnc_flush(vs);
2051}
2052
2053static void set_encodings(VncState *vs, int32_t *encodings, size_t n_encodings)
2054{
2055 int i;
2056 unsigned int enc = 0;
2057
2058 vs->features = 0;
2059 vs->vnc_encoding = 0;
2060 vs->tight.compression = 9;
2061 vs->tight.quality = -1; /* Lossless by default */
2062 vs->absolute = -1;
2063
2064 /*
2065 * Start from the end because the encodings are sent in order of preference.
2066 * This way the preferred encoding (first encoding defined in the array)
2067 * will be set at the end of the loop.
2068 */
2069 for (i = n_encodings - 1; i >= 0; i--) {
2070 enc = encodings[i];
2071 switch (enc) {
2072 case VNC_ENCODING_RAW:
2073 vs->vnc_encoding = enc;
2074 break;
2075 case VNC_ENCODING_COPYRECT:
2076 vs->features |= VNC_FEATURE_COPYRECT_MASK;
2077 break;
2078 case VNC_ENCODING_HEXTILE:
2079 vs->features |= VNC_FEATURE_HEXTILE_MASK;
2080 vs->vnc_encoding = enc;
2081 break;
2082 case VNC_ENCODING_TIGHT:
2083 vs->features |= VNC_FEATURE_TIGHT_MASK;
2084 vs->vnc_encoding = enc;
2085 break;
2086#ifdef CONFIG_VNC_PNG
2087 case VNC_ENCODING_TIGHT_PNG:
2088 vs->features |= VNC_FEATURE_TIGHT_PNG_MASK;
2089 vs->vnc_encoding = enc;
2090 break;
2091#endif
2092 case VNC_ENCODING_ZLIB:
2093 vs->features |= VNC_FEATURE_ZLIB_MASK;
2094 vs->vnc_encoding = enc;
2095 break;
2096 case VNC_ENCODING_ZRLE:
2097 vs->features |= VNC_FEATURE_ZRLE_MASK;
2098 vs->vnc_encoding = enc;
2099 break;
2100 case VNC_ENCODING_ZYWRLE:
2101 vs->features |= VNC_FEATURE_ZYWRLE_MASK;
2102 vs->vnc_encoding = enc;
2103 break;
2104 case VNC_ENCODING_DESKTOPRESIZE:
2105 vs->features |= VNC_FEATURE_RESIZE_MASK;
2106 break;
2107 case VNC_ENCODING_POINTER_TYPE_CHANGE:
2108 vs->features |= VNC_FEATURE_POINTER_TYPE_CHANGE_MASK;
2109 break;
2110 case VNC_ENCODING_RICH_CURSOR:
2111 vs->features |= VNC_FEATURE_RICH_CURSOR_MASK;
2112 if (vs->vd->cursor) {
2113 vnc_cursor_define(vs);
2114 }
2115 break;
2116 case VNC_ENCODING_EXT_KEY_EVENT:
2117 send_ext_key_event_ack(vs);
2118 break;
2119 case VNC_ENCODING_AUDIO:
2120 send_ext_audio_ack(vs);
2121 break;
2122 case VNC_ENCODING_WMVi:
2123 vs->features |= VNC_FEATURE_WMVI_MASK;
2124 break;
2125 case VNC_ENCODING_LED_STATE:
2126 vs->features |= VNC_FEATURE_LED_STATE_MASK;
2127 break;
2128 case VNC_ENCODING_COMPRESSLEVEL0 ... VNC_ENCODING_COMPRESSLEVEL0 + 9:
2129 vs->tight.compression = (enc & 0x0F);
2130 break;
2131 case VNC_ENCODING_QUALITYLEVEL0 ... VNC_ENCODING_QUALITYLEVEL0 + 9:
2132 if (vs->vd->lossy) {
2133 vs->tight.quality = (enc & 0x0F);
2134 }
2135 break;
2136 default:
2137 VNC_DEBUG("Unknown encoding: %d (0x%.8x): %d\n", i, enc, enc);
2138 break;
2139 }
2140 }
2141 vnc_desktop_resize(vs);
2142 check_pointer_type_change(&vs->mouse_mode_notifier, NULL);
2143 vnc_led_state_change(vs);
2144}
2145
2146static void set_pixel_conversion(VncState *vs)
2147{
2148 pixman_format_code_t fmt = qemu_pixman_get_format(&vs->client_pf);
2149
2150 if (fmt == VNC_SERVER_FB_FORMAT) {
2151 vs->write_pixels = vnc_write_pixels_copy;
2152 vnc_hextile_set_pixel_conversion(vs, 0);
2153 } else {
2154 vs->write_pixels = vnc_write_pixels_generic;
2155 vnc_hextile_set_pixel_conversion(vs, 1);
2156 }
2157}
2158
2159static void send_color_map(VncState *vs)
2160{
2161 int i;
2162
2163 vnc_write_u8(vs, VNC_MSG_SERVER_SET_COLOUR_MAP_ENTRIES);
2164 vnc_write_u8(vs, 0); /* padding */
2165 vnc_write_u16(vs, 0); /* first color */
2166 vnc_write_u16(vs, 256); /* # of colors */
2167
2168 for (i = 0; i < 256; i++) {
2169 PixelFormat *pf = &vs->client_pf;
2170
2171 vnc_write_u16(vs, (((i >> pf->rshift) & pf->rmax) << (16 - pf->rbits)));
2172 vnc_write_u16(vs, (((i >> pf->gshift) & pf->gmax) << (16 - pf->gbits)));
2173 vnc_write_u16(vs, (((i >> pf->bshift) & pf->bmax) << (16 - pf->bbits)));
2174 }
2175}
2176
2177static void set_pixel_format(VncState *vs, int bits_per_pixel,
2178 int big_endian_flag, int true_color_flag,
2179 int red_max, int green_max, int blue_max,
2180 int red_shift, int green_shift, int blue_shift)
2181{
2182 if (!true_color_flag) {
2183 /* Expose a reasonable default 256 color map */
2184 bits_per_pixel = 8;
2185 red_max = 7;
2186 green_max = 7;
2187 blue_max = 3;
2188 red_shift = 0;
2189 green_shift = 3;
2190 blue_shift = 6;
2191 }
2192
2193 switch (bits_per_pixel) {
2194 case 8:
2195 case 16:
2196 case 32:
2197 break;
2198 default:
2199 vnc_client_error(vs);
2200 return;
2201 }
2202
2203 vs->client_pf.rmax = red_max ? red_max : 0xFF;
2204 vs->client_pf.rbits = ctpopl(red_max);
2205 vs->client_pf.rshift = red_shift;
2206 vs->client_pf.rmask = red_max << red_shift;
2207 vs->client_pf.gmax = green_max ? green_max : 0xFF;
2208 vs->client_pf.gbits = ctpopl(green_max);
2209 vs->client_pf.gshift = green_shift;
2210 vs->client_pf.gmask = green_max << green_shift;
2211 vs->client_pf.bmax = blue_max ? blue_max : 0xFF;
2212 vs->client_pf.bbits = ctpopl(blue_max);
2213 vs->client_pf.bshift = blue_shift;
2214 vs->client_pf.bmask = blue_max << blue_shift;
2215 vs->client_pf.bits_per_pixel = bits_per_pixel;
2216 vs->client_pf.bytes_per_pixel = bits_per_pixel / 8;
2217 vs->client_pf.depth = bits_per_pixel == 32 ? 24 : bits_per_pixel;
2218 vs->client_be = big_endian_flag;
2219
2220 if (!true_color_flag) {
2221 send_color_map(vs);
2222 }
2223
2224 set_pixel_conversion(vs);
2225
2226 graphic_hw_invalidate(vs->vd->dcl.con);
2227 graphic_hw_update(vs->vd->dcl.con);
2228}
2229
2230static void pixel_format_message (VncState *vs) {
2231 char pad[3] = { 0, 0, 0 };
2232
2233 vs->client_pf = qemu_default_pixelformat(32);
2234
2235 vnc_write_u8(vs, vs->client_pf.bits_per_pixel); /* bits-per-pixel */
2236 vnc_write_u8(vs, vs->client_pf.depth); /* depth */
2237
2238#ifdef HOST_WORDS_BIGENDIAN
2239 vnc_write_u8(vs, 1); /* big-endian-flag */
2240#else
2241 vnc_write_u8(vs, 0); /* big-endian-flag */
2242#endif
2243 vnc_write_u8(vs, 1); /* true-color-flag */
2244 vnc_write_u16(vs, vs->client_pf.rmax); /* red-max */
2245 vnc_write_u16(vs, vs->client_pf.gmax); /* green-max */
2246 vnc_write_u16(vs, vs->client_pf.bmax); /* blue-max */
2247 vnc_write_u8(vs, vs->client_pf.rshift); /* red-shift */
2248 vnc_write_u8(vs, vs->client_pf.gshift); /* green-shift */
2249 vnc_write_u8(vs, vs->client_pf.bshift); /* blue-shift */
2250 vnc_write(vs, pad, 3); /* padding */
2251
2252 vnc_hextile_set_pixel_conversion(vs, 0);
2253 vs->write_pixels = vnc_write_pixels_copy;
2254}
2255
2256static void vnc_colordepth(VncState *vs)
2257{
2258 if (vnc_has_feature(vs, VNC_FEATURE_WMVI)) {
2259 /* Sending a WMVi message to notify the client*/
2260 vnc_lock_output(vs);
2261 vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
2262 vnc_write_u8(vs, 0);
2263 vnc_write_u16(vs, 1); /* number of rects */
2264 vnc_framebuffer_update(vs, 0, 0,
2265 pixman_image_get_width(vs->vd->server),
2266 pixman_image_get_height(vs->vd->server),
2267 VNC_ENCODING_WMVi);
2268 pixel_format_message(vs);
2269 vnc_unlock_output(vs);
2270 vnc_flush(vs);
2271 } else {
2272 set_pixel_conversion(vs);
2273 }
2274}
2275
2276static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len)
2277{
2278 int i;
2279 uint16_t limit;
2280 uint32_t freq;
2281 VncDisplay *vd = vs->vd;
2282
2283 if (data[0] > 3) {
2284 update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
2285 }
2286
2287 switch (data[0]) {
2288 case VNC_MSG_CLIENT_SET_PIXEL_FORMAT:
2289 if (len == 1)
2290 return 20;
2291
2292 set_pixel_format(vs, read_u8(data, 4),
2293 read_u8(data, 6), read_u8(data, 7),
2294 read_u16(data, 8), read_u16(data, 10),
2295 read_u16(data, 12), read_u8(data, 14),
2296 read_u8(data, 15), read_u8(data, 16));
2297 break;
2298 case VNC_MSG_CLIENT_SET_ENCODINGS:
2299 if (len == 1)
2300 return 4;
2301
2302 if (len == 4) {
2303 limit = read_u16(data, 2);
2304 if (limit > 0)
2305 return 4 + (limit * 4);
2306 } else
2307 limit = read_u16(data, 2);
2308
2309 for (i = 0; i < limit; i++) {
2310 int32_t val = read_s32(data, 4 + (i * 4));
2311 memcpy(data + 4 + (i * 4), &val, sizeof(val));
2312 }
2313
2314 set_encodings(vs, (int32_t *)(data + 4), limit);
2315 break;
2316 case VNC_MSG_CLIENT_FRAMEBUFFER_UPDATE_REQUEST:
2317 if (len == 1)
2318 return 10;
2319
2320 framebuffer_update_request(vs,
2321 read_u8(data, 1), read_u16(data, 2), read_u16(data, 4),
2322 read_u16(data, 6), read_u16(data, 8));
2323 break;
2324 case VNC_MSG_CLIENT_KEY_EVENT:
2325 if (len == 1)
2326 return 8;
2327
2328 key_event(vs, read_u8(data, 1), read_u32(data, 4));
2329 break;
2330 case VNC_MSG_CLIENT_POINTER_EVENT:
2331 if (len == 1)
2332 return 6;
2333
2334 pointer_event(vs, read_u8(data, 1), read_u16(data, 2), read_u16(data, 4));
2335 break;
2336 case VNC_MSG_CLIENT_CUT_TEXT:
2337 if (len == 1) {
2338 return 8;
2339 }
2340 if (len == 8) {
2341 uint32_t dlen = read_u32(data, 4);
2342 if (dlen > (1 << 20)) {
2343 error_report("vnc: client_cut_text msg payload has %u bytes"
2344 " which exceeds our limit of 1MB.", dlen);
2345 vnc_client_error(vs);
2346 break;
2347 }
2348 if (dlen > 0) {
2349 return 8 + dlen;
2350 }
2351 }
2352
2353 client_cut_text(vs, read_u32(data, 4), data + 8);
2354 break;
2355 case VNC_MSG_CLIENT_QEMU:
2356 if (len == 1)
2357 return 2;
2358
2359 switch (read_u8(data, 1)) {
2360 case VNC_MSG_CLIENT_QEMU_EXT_KEY_EVENT:
2361 if (len == 2)
2362 return 12;
2363
2364 ext_key_event(vs, read_u16(data, 2),
2365 read_u32(data, 4), read_u32(data, 8));
2366 break;
2367 case VNC_MSG_CLIENT_QEMU_AUDIO:
2368 if (len == 2)
2369 return 4;
2370
2371 switch (read_u16 (data, 2)) {
2372 case VNC_MSG_CLIENT_QEMU_AUDIO_ENABLE:
2373 audio_add(vs);
2374 break;
2375 case VNC_MSG_CLIENT_QEMU_AUDIO_DISABLE:
2376 audio_del(vs);
2377 break;
2378 case VNC_MSG_CLIENT_QEMU_AUDIO_SET_FORMAT:
2379 if (len == 4)
2380 return 10;
2381 switch (read_u8(data, 4)) {
2382 case 0: vs->as.fmt = AUDIO_FORMAT_U8; break;
2383 case 1: vs->as.fmt = AUDIO_FORMAT_S8; break;
2384 case 2: vs->as.fmt = AUDIO_FORMAT_U16; break;
2385 case 3: vs->as.fmt = AUDIO_FORMAT_S16; break;
2386 case 4: vs->as.fmt = AUDIO_FORMAT_U32; break;
2387 case 5: vs->as.fmt = AUDIO_FORMAT_S32; break;
2388 default:
2389 VNC_DEBUG("Invalid audio format %d\n", read_u8(data, 4));
2390 vnc_client_error(vs);
2391 break;
2392 }
2393 vs->as.nchannels = read_u8(data, 5);
2394 if (vs->as.nchannels != 1 && vs->as.nchannels != 2) {
2395 VNC_DEBUG("Invalid audio channel count %d\n",
2396 read_u8(data, 5));
2397 vnc_client_error(vs);
2398 break;
2399 }
2400 freq = read_u32(data, 6);
2401 /* No official limit for protocol, but 48khz is a sensible
2402 * upper bound for trustworthy clients, and this limit
2403 * protects calculations involving 'vs->as.freq' later.
2404 */
2405 if (freq > 48000) {
2406 VNC_DEBUG("Invalid audio frequency %u > 48000", freq);
2407 vnc_client_error(vs);
2408 break;
2409 }
2410 vs->as.freq = freq;
2411 break;
2412 default:
2413 VNC_DEBUG("Invalid audio message %d\n", read_u8(data, 4));
2414 vnc_client_error(vs);
2415 break;
2416 }
2417 break;
2418
2419 default:
2420 VNC_DEBUG("Msg: %d\n", read_u16(data, 0));
2421 vnc_client_error(vs);
2422 break;
2423 }
2424 break;
2425 default:
2426 VNC_DEBUG("Msg: %d\n", data[0]);
2427 vnc_client_error(vs);
2428 break;
2429 }
2430
2431 vnc_update_throttle_offset(vs);
2432 vnc_read_when(vs, protocol_client_msg, 1);
2433 return 0;
2434}
2435
2436static int protocol_client_init(VncState *vs, uint8_t *data, size_t len)
2437{
2438 char buf[1024];
2439 VncShareMode mode;
2440 int size;
2441
2442 mode = data[0] ? VNC_SHARE_MODE_SHARED : VNC_SHARE_MODE_EXCLUSIVE;
2443 switch (vs->vd->share_policy) {
2444 case VNC_SHARE_POLICY_IGNORE:
2445 /*
2446 * Ignore the shared flag. Nothing to do here.
2447 *
2448 * Doesn't conform to the rfb spec but is traditional qemu
2449 * behavior, thus left here as option for compatibility
2450 * reasons.
2451 */
2452 break;
2453 case VNC_SHARE_POLICY_ALLOW_EXCLUSIVE:
2454 /*
2455 * Policy: Allow clients ask for exclusive access.
2456 *
2457 * Implementation: When a client asks for exclusive access,
2458 * disconnect all others. Shared connects are allowed as long
2459 * as no exclusive connection exists.
2460 *
2461 * This is how the rfb spec suggests to handle the shared flag.
2462 */
2463 if (mode == VNC_SHARE_MODE_EXCLUSIVE) {
2464 VncState *client;
2465 QTAILQ_FOREACH(client, &vs->vd->clients, next) {
2466 if (vs == client) {
2467 continue;
2468 }
2469 if (client->share_mode != VNC_SHARE_MODE_EXCLUSIVE &&
2470 client->share_mode != VNC_SHARE_MODE_SHARED) {
2471 continue;
2472 }
2473 vnc_disconnect_start(client);
2474 }
2475 }
2476 if (mode == VNC_SHARE_MODE_SHARED) {
2477 if (vs->vd->num_exclusive > 0) {
2478 vnc_disconnect_start(vs);
2479 return 0;
2480 }
2481 }
2482 break;
2483 case VNC_SHARE_POLICY_FORCE_SHARED:
2484 /*
2485 * Policy: Shared connects only.
2486 * Implementation: Disallow clients asking for exclusive access.
2487 *
2488 * Useful for shared desktop sessions where you don't want
2489 * someone forgetting to say -shared when running the vnc
2490 * client disconnect everybody else.
2491 */
2492 if (mode == VNC_SHARE_MODE_EXCLUSIVE) {
2493 vnc_disconnect_start(vs);
2494 return 0;
2495 }
2496 break;
2497 }
2498 vnc_set_share_mode(vs, mode);
2499
2500 if (vs->vd->num_shared > vs->vd->connections_limit) {
2501 vnc_disconnect_start(vs);
2502 return 0;
2503 }
2504
2505 assert(pixman_image_get_width(vs->vd->server) < 65536 &&
2506 pixman_image_get_width(vs->vd->server) >= 0);
2507 assert(pixman_image_get_height(vs->vd->server) < 65536 &&
2508 pixman_image_get_height(vs->vd->server) >= 0);
2509 vs->client_width = pixman_image_get_width(vs->vd->server);
2510 vs->client_height = pixman_image_get_height(vs->vd->server);
2511 vnc_write_u16(vs, vs->client_width);
2512 vnc_write_u16(vs, vs->client_height);
2513
2514 pixel_format_message(vs);
2515
2516 if (qemu_name) {
2517 size = snprintf(buf, sizeof(buf), "QEMU (%s)", qemu_name);
2518 if (size > sizeof(buf)) {
2519 size = sizeof(buf);
2520 }
2521 } else {
2522 size = snprintf(buf, sizeof(buf), "QEMU");
2523 }
2524
2525 vnc_write_u32(vs, size);
2526 vnc_write(vs, buf, size);
2527 vnc_flush(vs);
2528
2529 vnc_client_cache_auth(vs);
2530 vnc_qmp_event(vs, QAPI_EVENT_VNC_INITIALIZED);
2531
2532 vnc_read_when(vs, protocol_client_msg, 1);
2533
2534 return 0;
2535}
2536
2537void start_client_init(VncState *vs)
2538{
2539 vnc_read_when(vs, protocol_client_init, 1);
2540}
2541
2542static void authentication_failed(VncState *vs)
2543{
2544 vnc_write_u32(vs, 1); /* Reject auth */
2545 if (vs->minor >= 8) {
2546 static const char err[] = "Authentication failed";
2547 vnc_write_u32(vs, sizeof(err));
2548 vnc_write(vs, err, sizeof(err));
2549 }
2550 vnc_flush(vs);
2551 vnc_client_error(vs);
2552}
2553
2554static int protocol_client_auth_vnc(VncState *vs, uint8_t *data, size_t len)
2555{
2556 unsigned char response[VNC_AUTH_CHALLENGE_SIZE];
2557 size_t i, pwlen;
2558 unsigned char key[8];
2559 time_t now = time(NULL);
2560 QCryptoCipher *cipher = NULL;
2561 Error *err = NULL;
2562
2563 if (!vs->vd->password) {
2564 trace_vnc_auth_fail(vs, vs->auth, "password is not set", "");
2565 goto reject;
2566 }
2567 if (vs->vd->expires < now) {
2568 trace_vnc_auth_fail(vs, vs->auth, "password is expired", "");
2569 goto reject;
2570 }
2571
2572 memcpy(response, vs->challenge, VNC_AUTH_CHALLENGE_SIZE);
2573
2574 /* Calculate the expected challenge response */
2575 pwlen = strlen(vs->vd->password);
2576 for (i=0; i<sizeof(key); i++)
2577 key[i] = i<pwlen ? vs->vd->password[i] : 0;
2578
2579 cipher = qcrypto_cipher_new(
2580 QCRYPTO_CIPHER_ALG_DES_RFB,
2581 QCRYPTO_CIPHER_MODE_ECB,
2582 key, G_N_ELEMENTS(key),
2583 &err);
2584 if (!cipher) {
2585 trace_vnc_auth_fail(vs, vs->auth, "cannot create cipher",
2586 error_get_pretty(err));
2587 error_free(err);
2588 goto reject;
2589 }
2590
2591 if (qcrypto_cipher_encrypt(cipher,
2592 vs->challenge,
2593 response,
2594 VNC_AUTH_CHALLENGE_SIZE,
2595 &err) < 0) {
2596 trace_vnc_auth_fail(vs, vs->auth, "cannot encrypt challenge response",
2597 error_get_pretty(err));
2598 error_free(err);
2599 goto reject;
2600 }
2601
2602 /* Compare expected vs actual challenge response */
2603 if (memcmp(response, data, VNC_AUTH_CHALLENGE_SIZE) != 0) {
2604 trace_vnc_auth_fail(vs, vs->auth, "mis-matched challenge response", "");
2605 goto reject;
2606 } else {
2607 trace_vnc_auth_pass(vs, vs->auth);
2608 vnc_write_u32(vs, 0); /* Accept auth */
2609 vnc_flush(vs);
2610
2611 start_client_init(vs);
2612 }
2613
2614 qcrypto_cipher_free(cipher);
2615 return 0;
2616
2617reject:
2618 authentication_failed(vs);
2619 qcrypto_cipher_free(cipher);
2620 return 0;
2621}
2622
2623void start_auth_vnc(VncState *vs)
2624{
2625 Error *err = NULL;
2626
2627 if (qcrypto_random_bytes(vs->challenge, sizeof(vs->challenge), &err)) {
2628 trace_vnc_auth_fail(vs, vs->auth, "cannot get random bytes",
2629 error_get_pretty(err));
2630 error_free(err);
2631 authentication_failed(vs);
2632 return;
2633 }
2634
2635 /* Send client a 'random' challenge */
2636 vnc_write(vs, vs->challenge, sizeof(vs->challenge));
2637 vnc_flush(vs);
2638
2639 vnc_read_when(vs, protocol_client_auth_vnc, sizeof(vs->challenge));
2640}
2641
2642
2643static int protocol_client_auth(VncState *vs, uint8_t *data, size_t len)
2644{
2645 /* We only advertise 1 auth scheme at a time, so client
2646 * must pick the one we sent. Verify this */
2647 if (data[0] != vs->auth) { /* Reject auth */
2648 trace_vnc_auth_reject(vs, vs->auth, (int)data[0]);
2649 authentication_failed(vs);
2650 } else { /* Accept requested auth */
2651 trace_vnc_auth_start(vs, vs->auth);
2652 switch (vs->auth) {
2653 case VNC_AUTH_NONE:
2654 if (vs->minor >= 8) {
2655 vnc_write_u32(vs, 0); /* Accept auth completion */
2656 vnc_flush(vs);
2657 }
2658 trace_vnc_auth_pass(vs, vs->auth);
2659 start_client_init(vs);
2660 break;
2661
2662 case VNC_AUTH_VNC:
2663 start_auth_vnc(vs);
2664 break;
2665
2666 case VNC_AUTH_VENCRYPT:
2667 start_auth_vencrypt(vs);
2668 break;
2669
2670#ifdef CONFIG_VNC_SASL
2671 case VNC_AUTH_SASL:
2672 start_auth_sasl(vs);
2673 break;
2674#endif /* CONFIG_VNC_SASL */
2675
2676 default: /* Should not be possible, but just in case */
2677 trace_vnc_auth_fail(vs, vs->auth, "Unhandled auth method", "");
2678 authentication_failed(vs);
2679 }
2680 }
2681 return 0;
2682}
2683
2684static int protocol_version(VncState *vs, uint8_t *version, size_t len)
2685{
2686 char local[13];
2687
2688 memcpy(local, version, 12);
2689 local[12] = 0;
2690
2691 if (sscanf(local, "RFB %03d.%03d\n", &vs->major, &vs->minor) != 2) {
2692 VNC_DEBUG("Malformed protocol version %s\n", local);
2693 vnc_client_error(vs);
2694 return 0;
2695 }
2696 VNC_DEBUG("Client request protocol version %d.%d\n", vs->major, vs->minor);
2697 if (vs->major != 3 ||
2698 (vs->minor != 3 &&
2699 vs->minor != 4 &&
2700 vs->minor != 5 &&
2701 vs->minor != 7 &&
2702 vs->minor != 8)) {
2703 VNC_DEBUG("Unsupported client version\n");
2704 vnc_write_u32(vs, VNC_AUTH_INVALID);
2705 vnc_flush(vs);
2706 vnc_client_error(vs);
2707 return 0;
2708 }
2709 /* Some broken clients report v3.4 or v3.5, which spec requires to be treated
2710 * as equivalent to v3.3 by servers
2711 */
2712 if (vs->minor == 4 || vs->minor == 5)
2713 vs->minor = 3;
2714
2715 if (vs->minor == 3) {
2716 trace_vnc_auth_start(vs, vs->auth);
2717 if (vs->auth == VNC_AUTH_NONE) {
2718 vnc_write_u32(vs, vs->auth);
2719 vnc_flush(vs);
2720 trace_vnc_auth_pass(vs, vs->auth);
2721 start_client_init(vs);
2722 } else if (vs->auth == VNC_AUTH_VNC) {
2723 VNC_DEBUG("Tell client VNC auth\n");
2724 vnc_write_u32(vs, vs->auth);
2725 vnc_flush(vs);
2726 start_auth_vnc(vs);
2727 } else {
2728 trace_vnc_auth_fail(vs, vs->auth,
2729 "Unsupported auth method for v3.3", "");
2730 vnc_write_u32(vs, VNC_AUTH_INVALID);
2731 vnc_flush(vs);
2732 vnc_client_error(vs);
2733 }
2734 } else {
2735 vnc_write_u8(vs, 1); /* num auth */
2736 vnc_write_u8(vs, vs->auth);
2737 vnc_read_when(vs, protocol_client_auth, 1);
2738 vnc_flush(vs);
2739 }
2740
2741 return 0;
2742}
2743
2744static VncRectStat *vnc_stat_rect(VncDisplay *vd, int x, int y)
2745{
2746 struct VncSurface *vs = &vd->guest;
2747
2748 return &vs->stats[y / VNC_STAT_RECT][x / VNC_STAT_RECT];
2749}
2750
2751void vnc_sent_lossy_rect(VncState *vs, int x, int y, int w, int h)
2752{
2753 int i, j;
2754
2755 w = (x + w) / VNC_STAT_RECT;
2756 h = (y + h) / VNC_STAT_RECT;
2757 x /= VNC_STAT_RECT;
2758 y /= VNC_STAT_RECT;
2759
2760 for (j = y; j <= h; j++) {
2761 for (i = x; i <= w; i++) {
2762 vs->lossy_rect[j][i] = 1;
2763 }
2764 }
2765}
2766
2767static int vnc_refresh_lossy_rect(VncDisplay *vd, int x, int y)
2768{
2769 VncState *vs;
2770 int sty = y / VNC_STAT_RECT;
2771 int stx = x / VNC_STAT_RECT;
2772 int has_dirty = 0;
2773
2774 y = QEMU_ALIGN_DOWN(y, VNC_STAT_RECT);
2775 x = QEMU_ALIGN_DOWN(x, VNC_STAT_RECT);
2776
2777 QTAILQ_FOREACH(vs, &vd->clients, next) {
2778 int j;
2779
2780 /* kernel send buffers are full -> refresh later */
2781 if (vs->output.offset) {
2782 continue;
2783 }
2784
2785 if (!vs->lossy_rect[sty][stx]) {
2786 continue;
2787 }
2788
2789 vs->lossy_rect[sty][stx] = 0;
2790 for (j = 0; j < VNC_STAT_RECT; ++j) {
2791 bitmap_set(vs->dirty[y + j],
2792 x / VNC_DIRTY_PIXELS_PER_BIT,
2793 VNC_STAT_RECT / VNC_DIRTY_PIXELS_PER_BIT);
2794 }
2795 has_dirty++;
2796 }
2797
2798 return has_dirty;
2799}
2800
2801static int vnc_update_stats(VncDisplay *vd, struct timeval * tv)
2802{
2803 int width = MIN(pixman_image_get_width(vd->guest.fb),
2804 pixman_image_get_width(vd->server));
2805 int height = MIN(pixman_image_get_height(vd->guest.fb),
2806 pixman_image_get_height(vd->server));
2807 int x, y;
2808 struct timeval res;
2809 int has_dirty = 0;
2810
2811 for (y = 0; y < height; y += VNC_STAT_RECT) {
2812 for (x = 0; x < width; x += VNC_STAT_RECT) {
2813 VncRectStat *rect = vnc_stat_rect(vd, x, y);
2814
2815 rect->updated = false;
2816 }
2817 }
2818
2819 qemu_timersub(tv, &VNC_REFRESH_STATS, &res);
2820
2821 if (timercmp(&vd->guest.last_freq_check, &res, >)) {
2822 return has_dirty;
2823 }
2824 vd->guest.last_freq_check = *tv;
2825
2826 for (y = 0; y < height; y += VNC_STAT_RECT) {
2827 for (x = 0; x < width; x += VNC_STAT_RECT) {
2828 VncRectStat *rect= vnc_stat_rect(vd, x, y);
2829 int count = ARRAY_SIZE(rect->times);
2830 struct timeval min, max;
2831
2832 if (!timerisset(&rect->times[count - 1])) {
2833 continue ;
2834 }
2835
2836 max = rect->times[(rect->idx + count - 1) % count];
2837 qemu_timersub(tv, &max, &res);
2838
2839 if (timercmp(&res, &VNC_REFRESH_LOSSY, >)) {
2840 rect->freq = 0;
2841 has_dirty += vnc_refresh_lossy_rect(vd, x, y);
2842 memset(rect->times, 0, sizeof (rect->times));
2843 continue ;
2844 }
2845
2846 min = rect->times[rect->idx];
2847 max = rect->times[(rect->idx + count - 1) % count];
2848 qemu_timersub(&max, &min, &res);
2849
2850 rect->freq = res.tv_sec + res.tv_usec / 1000000.;
2851 rect->freq /= count;
2852 rect->freq = 1. / rect->freq;
2853 }
2854 }
2855 return has_dirty;
2856}
2857
2858double vnc_update_freq(VncState *vs, int x, int y, int w, int h)
2859{
2860 int i, j;
2861 double total = 0;
2862 int num = 0;
2863
2864 x = QEMU_ALIGN_DOWN(x, VNC_STAT_RECT);
2865 y = QEMU_ALIGN_DOWN(y, VNC_STAT_RECT);
2866
2867 for (j = y; j <= y + h; j += VNC_STAT_RECT) {
2868 for (i = x; i <= x + w; i += VNC_STAT_RECT) {
2869 total += vnc_stat_rect(vs->vd, i, j)->freq;
2870 num++;
2871 }
2872 }
2873
2874 if (num) {
2875 return total / num;
2876 } else {
2877 return 0;
2878 }
2879}
2880
2881static void vnc_rect_updated(VncDisplay *vd, int x, int y, struct timeval * tv)
2882{
2883 VncRectStat *rect;
2884
2885 rect = vnc_stat_rect(vd, x, y);
2886 if (rect->updated) {
2887 return ;
2888 }
2889 rect->times[rect->idx] = *tv;
2890 rect->idx = (rect->idx + 1) % ARRAY_SIZE(rect->times);
2891 rect->updated = true;
2892}
2893
2894static int vnc_refresh_server_surface(VncDisplay *vd)
2895{
2896 int width = MIN(pixman_image_get_width(vd->guest.fb),
2897 pixman_image_get_width(vd->server));
2898 int height = MIN(pixman_image_get_height(vd->guest.fb),
2899 pixman_image_get_height(vd->server));
2900 int cmp_bytes, server_stride, line_bytes, guest_ll, guest_stride, y = 0;
2901 uint8_t *guest_row0 = NULL, *server_row0;
2902 VncState *vs;
2903 int has_dirty = 0;
2904 pixman_image_t *tmpbuf = NULL;
2905
2906 struct timeval tv = { 0, 0 };
2907
2908 if (!vd->non_adaptive) {
2909 gettimeofday(&tv, NULL);
2910 has_dirty = vnc_update_stats(vd, &tv);
2911 }
2912
2913 /*
2914 * Walk through the guest dirty map.
2915 * Check and copy modified bits from guest to server surface.
2916 * Update server dirty map.
2917 */
2918 server_row0 = (uint8_t *)pixman_image_get_data(vd->server);
2919 server_stride = guest_stride = guest_ll =
2920 pixman_image_get_stride(vd->server);
2921 cmp_bytes = MIN(VNC_DIRTY_PIXELS_PER_BIT * VNC_SERVER_FB_BYTES,
2922 server_stride);
2923 if (vd->guest.format != VNC_SERVER_FB_FORMAT) {
2924 int width = pixman_image_get_width(vd->server);
2925 tmpbuf = qemu_pixman_linebuf_create(VNC_SERVER_FB_FORMAT, width);
2926 } else {
2927 int guest_bpp =
2928 PIXMAN_FORMAT_BPP(pixman_image_get_format(vd->guest.fb));
2929 guest_row0 = (uint8_t *)pixman_image_get_data(vd->guest.fb);
2930 guest_stride = pixman_image_get_stride(vd->guest.fb);
2931 guest_ll = pixman_image_get_width(vd->guest.fb)
2932 * DIV_ROUND_UP(guest_bpp, 8);
2933 }
2934 line_bytes = MIN(server_stride, guest_ll);
2935
2936 for (;;) {
2937 int x;
2938 uint8_t *guest_ptr, *server_ptr;
2939 unsigned long offset = find_next_bit((unsigned long *) &vd->guest.dirty,
2940 height * VNC_DIRTY_BPL(&vd->guest),
2941 y * VNC_DIRTY_BPL(&vd->guest));
2942 if (offset == height * VNC_DIRTY_BPL(&vd->guest)) {
2943 /* no more dirty bits */
2944 break;
2945 }
2946 y = offset / VNC_DIRTY_BPL(&vd->guest);
2947 x = offset % VNC_DIRTY_BPL(&vd->guest);
2948
2949 server_ptr = server_row0 + y * server_stride + x * cmp_bytes;
2950
2951 if (vd->guest.format != VNC_SERVER_FB_FORMAT) {
2952 qemu_pixman_linebuf_fill(tmpbuf, vd->guest.fb, width, 0, y);
2953 guest_ptr = (uint8_t *)pixman_image_get_data(tmpbuf);
2954 } else {
2955 guest_ptr = guest_row0 + y * guest_stride;
2956 }
2957 guest_ptr += x * cmp_bytes;
2958
2959 for (; x < DIV_ROUND_UP(width, VNC_DIRTY_PIXELS_PER_BIT);
2960 x++, guest_ptr += cmp_bytes, server_ptr += cmp_bytes) {
2961 int _cmp_bytes = cmp_bytes;
2962 if (!test_and_clear_bit(x, vd->guest.dirty[y])) {
2963 continue;
2964 }
2965 if ((x + 1) * cmp_bytes > line_bytes) {
2966 _cmp_bytes = line_bytes - x * cmp_bytes;
2967 }
2968 assert(_cmp_bytes >= 0);
2969 if (memcmp(server_ptr, guest_ptr, _cmp_bytes) == 0) {
2970 continue;
2971 }
2972 memcpy(server_ptr, guest_ptr, _cmp_bytes);
2973 if (!vd->non_adaptive) {
2974 vnc_rect_updated(vd, x * VNC_DIRTY_PIXELS_PER_BIT,
2975 y, &tv);
2976 }
2977 QTAILQ_FOREACH(vs, &vd->clients, next) {
2978 set_bit(x, vs->dirty[y]);
2979 }
2980 has_dirty++;
2981 }
2982
2983 y++;
2984 }
2985 qemu_pixman_image_unref(tmpbuf);
2986 return has_dirty;
2987}
2988
2989static void vnc_refresh(DisplayChangeListener *dcl)
2990{
2991 VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
2992 VncState *vs, *vn;
2993 int has_dirty, rects = 0;
2994
2995 if (QTAILQ_EMPTY(&vd->clients)) {
2996 update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_MAX);
2997 return;
2998 }
2999
3000 graphic_hw_update(vd->dcl.con);
3001
3002 if (vnc_trylock_display(vd)) {
3003 update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
3004 return;
3005 }
3006
3007 has_dirty = vnc_refresh_server_surface(vd);
3008 vnc_unlock_display(vd);
3009
3010 QTAILQ_FOREACH_SAFE(vs, &vd->clients, next, vn) {
3011 rects += vnc_update_client(vs, has_dirty);
3012 /* vs might be free()ed here */
3013 }
3014
3015 if (has_dirty && rects) {
3016 vd->dcl.update_interval /= 2;
3017 if (vd->dcl.update_interval < VNC_REFRESH_INTERVAL_BASE) {
3018 vd->dcl.update_interval = VNC_REFRESH_INTERVAL_BASE;
3019 }
3020 } else {
3021 vd->dcl.update_interval += VNC_REFRESH_INTERVAL_INC;
3022 if (vd->dcl.update_interval > VNC_REFRESH_INTERVAL_MAX) {
3023 vd->dcl.update_interval = VNC_REFRESH_INTERVAL_MAX;
3024 }
3025 }
3026}
3027
3028static void vnc_connect(VncDisplay *vd, QIOChannelSocket *sioc,
3029 bool skipauth, bool websocket)
3030{
3031 VncState *vs = g_new0(VncState, 1);
3032 bool first_client = QTAILQ_EMPTY(&vd->clients);
3033 int i;
3034
3035 trace_vnc_client_connect(vs, sioc);
3036 vs->magic = VNC_MAGIC;
3037 vs->sioc = sioc;
3038 object_ref(OBJECT(vs->sioc));
3039 vs->ioc = QIO_CHANNEL(sioc);
3040 object_ref(OBJECT(vs->ioc));
3041 vs->vd = vd;
3042
3043 buffer_init(&vs->input, "vnc-input/%p", sioc);
3044 buffer_init(&vs->output, "vnc-output/%p", sioc);
3045 buffer_init(&vs->jobs_buffer, "vnc-jobs_buffer/%p", sioc);
3046
3047 buffer_init(&vs->tight.tight, "vnc-tight/%p", sioc);
3048 buffer_init(&vs->tight.zlib, "vnc-tight-zlib/%p", sioc);
3049 buffer_init(&vs->tight.gradient, "vnc-tight-gradient/%p", sioc);
3050#ifdef CONFIG_VNC_JPEG
3051 buffer_init(&vs->tight.jpeg, "vnc-tight-jpeg/%p", sioc);
3052#endif
3053#ifdef CONFIG_VNC_PNG
3054 buffer_init(&vs->tight.png, "vnc-tight-png/%p", sioc);
3055#endif
3056 buffer_init(&vs->zlib.zlib, "vnc-zlib/%p", sioc);
3057 buffer_init(&vs->zrle.zrle, "vnc-zrle/%p", sioc);
3058 buffer_init(&vs->zrle.fb, "vnc-zrle-fb/%p", sioc);
3059 buffer_init(&vs->zrle.zlib, "vnc-zrle-zlib/%p", sioc);
3060
3061 if (skipauth) {
3062 vs->auth = VNC_AUTH_NONE;
3063 vs->subauth = VNC_AUTH_INVALID;
3064 } else {
3065 if (websocket) {
3066 vs->auth = vd->ws_auth;
3067 vs->subauth = VNC_AUTH_INVALID;
3068 } else {
3069 vs->auth = vd->auth;
3070 vs->subauth = vd->subauth;
3071 }
3072 }
3073 VNC_DEBUG("Client sioc=%p ws=%d auth=%d subauth=%d\n",
3074 sioc, websocket, vs->auth, vs->subauth);
3075
3076 vs->lossy_rect = g_malloc0(VNC_STAT_ROWS * sizeof (*vs->lossy_rect));
3077 for (i = 0; i < VNC_STAT_ROWS; ++i) {
3078 vs->lossy_rect[i] = g_new0(uint8_t, VNC_STAT_COLS);
3079 }
3080
3081 VNC_DEBUG("New client on socket %p\n", vs->sioc);
3082 update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
3083 qio_channel_set_blocking(vs->ioc, false, NULL);
3084 if (vs->ioc_tag) {
3085 g_source_remove(vs->ioc_tag);
3086 }
3087 if (websocket) {
3088 vs->websocket = 1;
3089 if (vd->tlscreds) {
3090 vs->ioc_tag = qio_channel_add_watch(
3091 vs->ioc, G_IO_IN, vncws_tls_handshake_io, vs, NULL);
3092 } else {
3093 vs->ioc_tag = qio_channel_add_watch(
3094 vs->ioc, G_IO_IN, vncws_handshake_io, vs, NULL);
3095 }
3096 } else {
3097 vs->ioc_tag = qio_channel_add_watch(
3098 vs->ioc, G_IO_IN, vnc_client_io, vs, NULL);
3099 }
3100
3101 vnc_client_cache_addr(vs);
3102 vnc_qmp_event(vs, QAPI_EVENT_VNC_CONNECTED);
3103 vnc_set_share_mode(vs, VNC_SHARE_MODE_CONNECTING);
3104
3105 vs->last_x = -1;
3106 vs->last_y = -1;
3107
3108 vs->as.freq = 44100;
3109 vs->as.nchannels = 2;
3110 vs->as.fmt = AUDIO_FORMAT_S16;
3111 vs->as.endianness = 0;
3112
3113 qemu_mutex_init(&vs->output_mutex);
3114 vs->bh = qemu_bh_new(vnc_jobs_bh, vs);
3115
3116 QTAILQ_INSERT_TAIL(&vd->clients, vs, next);
3117 if (first_client) {
3118 vnc_update_server_surface(vd);
3119 }
3120
3121 graphic_hw_update(vd->dcl.con);
3122
3123 if (!vs->websocket) {
3124 vnc_start_protocol(vs);
3125 }
3126
3127 if (vd->num_connecting > vd->connections_limit) {
3128 QTAILQ_FOREACH(vs, &vd->clients, next) {
3129 if (vs->share_mode == VNC_SHARE_MODE_CONNECTING) {
3130 vnc_disconnect_start(vs);
3131 return;
3132 }
3133 }
3134 }
3135}
3136
3137void vnc_start_protocol(VncState *vs)
3138{
3139 vnc_write(vs, "RFB 003.008\n", 12);
3140 vnc_flush(vs);
3141 vnc_read_when(vs, protocol_version, 12);
3142
3143 vs->mouse_mode_notifier.notify = check_pointer_type_change;
3144 qemu_add_mouse_mode_change_notifier(&vs->mouse_mode_notifier);
3145}
3146
3147static void vnc_listen_io(QIONetListener *listener,
3148 QIOChannelSocket *cioc,
3149 void *opaque)
3150{
3151 VncDisplay *vd = opaque;
3152 bool isWebsock = listener == vd->wslistener;
3153
3154 qio_channel_set_name(QIO_CHANNEL(cioc),
3155 isWebsock ? "vnc-ws-server" : "vnc-server");
3156 qio_channel_set_delay(QIO_CHANNEL(cioc), false);
3157 vnc_connect(vd, cioc, false, isWebsock);
3158}
3159
3160static const DisplayChangeListenerOps dcl_ops = {
3161 .dpy_name = "vnc",
3162 .dpy_refresh = vnc_refresh,
3163 .dpy_gfx_update = vnc_dpy_update,
3164 .dpy_gfx_switch = vnc_dpy_switch,
3165 .dpy_gfx_check_format = qemu_pixman_check_format,
3166 .dpy_mouse_set = vnc_mouse_set,
3167 .dpy_cursor_define = vnc_dpy_cursor_define,
3168};
3169
3170void vnc_display_init(const char *id, Error **errp)
3171{
3172 VncDisplay *vd;
3173
3174 if (vnc_display_find(id) != NULL) {
3175 return;
3176 }
3177 vd = g_malloc0(sizeof(*vd));
3178
3179 vd->id = strdup(id);
3180 QTAILQ_INSERT_TAIL(&vnc_displays, vd, next);
3181
3182 QTAILQ_INIT(&vd->clients);
3183 vd->expires = TIME_MAX;
3184
3185 if (keyboard_layout) {
3186 trace_vnc_key_map_init(keyboard_layout);
3187 vd->kbd_layout = init_keyboard_layout(name2keysym,
3188 keyboard_layout, errp);
3189 } else {
3190 vd->kbd_layout = init_keyboard_layout(name2keysym, "en-us", errp);
3191 }
3192
3193 if (!vd->kbd_layout) {
3194 return;
3195 }
3196
3197 vd->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
3198 vd->connections_limit = 32;
3199
3200 qemu_mutex_init(&vd->mutex);
3201 vnc_start_worker_thread();
3202
3203 vd->dcl.ops = &dcl_ops;
3204 register_displaychangelistener(&vd->dcl);
3205 vd->kbd = qkbd_state_init(vd->dcl.con);
3206}
3207
3208
3209static void vnc_display_close(VncDisplay *vd)
3210{
3211 if (!vd) {
3212 return;
3213 }
3214 vd->is_unix = false;
3215
3216 if (vd->listener) {
3217 qio_net_listener_disconnect(vd->listener);
3218 object_unref(OBJECT(vd->listener));
3219 }
3220 vd->listener = NULL;
3221
3222 if (vd->wslistener) {
3223 qio_net_listener_disconnect(vd->wslistener);
3224 object_unref(OBJECT(vd->wslistener));
3225 }
3226 vd->wslistener = NULL;
3227
3228 vd->auth = VNC_AUTH_INVALID;
3229 vd->subauth = VNC_AUTH_INVALID;
3230 if (vd->tlscreds) {
3231 object_unparent(OBJECT(vd->tlscreds));
3232 vd->tlscreds = NULL;
3233 }
3234 if (vd->tlsauthz) {
3235 object_unparent(OBJECT(vd->tlsauthz));
3236 vd->tlsauthz = NULL;
3237 }
3238 g_free(vd->tlsauthzid);
3239 vd->tlsauthzid = NULL;
3240 if (vd->lock_key_sync) {
3241 qemu_remove_led_event_handler(vd->led);
3242 vd->led = NULL;
3243 }
3244#ifdef CONFIG_VNC_SASL
3245 if (vd->sasl.authz) {
3246 object_unparent(OBJECT(vd->sasl.authz));
3247 vd->sasl.authz = NULL;
3248 }
3249 g_free(vd->sasl.authzid);
3250 vd->sasl.authzid = NULL;
3251#endif
3252}
3253
3254int vnc_display_password(const char *id, const char *password)
3255{
3256 VncDisplay *vd = vnc_display_find(id);
3257
3258 if (!vd) {
3259 return -EINVAL;
3260 }
3261 if (vd->auth == VNC_AUTH_NONE) {
3262 error_printf_unless_qmp("If you want use passwords please enable "
3263 "password auth using '-vnc ${dpy},password'.\n");
3264 return -EINVAL;
3265 }
3266
3267 g_free(vd->password);
3268 vd->password = g_strdup(password);
3269
3270 return 0;
3271}
3272
3273int vnc_display_pw_expire(const char *id, time_t expires)
3274{
3275 VncDisplay *vd = vnc_display_find(id);
3276
3277 if (!vd) {
3278 return -EINVAL;
3279 }
3280
3281 vd->expires = expires;
3282 return 0;
3283}
3284
3285static void vnc_display_print_local_addr(VncDisplay *vd)
3286{
3287 SocketAddress *addr;
3288 Error *err = NULL;
3289
3290 if (!vd->listener || !vd->listener->nsioc) {
3291 return;
3292 }
3293
3294 addr = qio_channel_socket_get_local_address(vd->listener->sioc[0], &err);
3295 if (!addr) {
3296 return;
3297 }
3298
3299 if (addr->type != SOCKET_ADDRESS_TYPE_INET) {
3300 qapi_free_SocketAddress(addr);
3301 return;
3302 }
3303 error_printf_unless_qmp("VNC server running on %s:%s\n",
3304 addr->u.inet.host,
3305 addr->u.inet.port);
3306 qapi_free_SocketAddress(addr);
3307}
3308
3309static QemuOptsList qemu_vnc_opts = {
3310 .name = "vnc",
3311 .head = QTAILQ_HEAD_INITIALIZER(qemu_vnc_opts.head),
3312 .implied_opt_name = "vnc",
3313 .desc = {
3314 {
3315 .name = "vnc",
3316 .type = QEMU_OPT_STRING,
3317 },{
3318 .name = "websocket",
3319 .type = QEMU_OPT_STRING,
3320 },{
3321 .name = "tls-creds",
3322 .type = QEMU_OPT_STRING,
3323 },{
3324 .name = "share",
3325 .type = QEMU_OPT_STRING,
3326 },{
3327 .name = "display",
3328 .type = QEMU_OPT_STRING,
3329 },{
3330 .name = "head",
3331 .type = QEMU_OPT_NUMBER,
3332 },{
3333 .name = "connections",
3334 .type = QEMU_OPT_NUMBER,
3335 },{
3336 .name = "to",
3337 .type = QEMU_OPT_NUMBER,
3338 },{
3339 .name = "ipv4",
3340 .type = QEMU_OPT_BOOL,
3341 },{
3342 .name = "ipv6",
3343 .type = QEMU_OPT_BOOL,
3344 },{
3345 .name = "password",
3346 .type = QEMU_OPT_BOOL,
3347 },{
3348 .name = "reverse",
3349 .type = QEMU_OPT_BOOL,
3350 },{
3351 .name = "lock-key-sync",
3352 .type = QEMU_OPT_BOOL,
3353 },{
3354 .name = "key-delay-ms",
3355 .type = QEMU_OPT_NUMBER,
3356 },{
3357 .name = "sasl",
3358 .type = QEMU_OPT_BOOL,
3359 },{
3360 .name = "acl",
3361 .type = QEMU_OPT_BOOL,
3362 },{
3363 .name = "tls-authz",
3364 .type = QEMU_OPT_STRING,
3365 },{
3366 .name = "sasl-authz",
3367 .type = QEMU_OPT_STRING,
3368 },{
3369 .name = "lossy",
3370 .type = QEMU_OPT_BOOL,
3371 },{
3372 .name = "non-adaptive",
3373 .type = QEMU_OPT_BOOL,
3374 },{
3375 .name = "audiodev",
3376 .type = QEMU_OPT_STRING,
3377 },
3378 { /* end of list */ }
3379 },
3380};
3381
3382
3383static int
3384vnc_display_setup_auth(int *auth,
3385 int *subauth,
3386 QCryptoTLSCreds *tlscreds,
3387 bool password,
3388 bool sasl,
3389 bool websocket,
3390 Error **errp)
3391{
3392 /*
3393 * We have a choice of 3 authentication options
3394 *
3395 * 1. none
3396 * 2. vnc
3397 * 3. sasl
3398 *
3399 * The channel can be run in 2 modes
3400 *
3401 * 1. clear
3402 * 2. tls
3403 *
3404 * And TLS can use 2 types of credentials
3405 *
3406 * 1. anon
3407 * 2. x509
3408 *
3409 * We thus have 9 possible logical combinations
3410 *
3411 * 1. clear + none
3412 * 2. clear + vnc
3413 * 3. clear + sasl
3414 * 4. tls + anon + none
3415 * 5. tls + anon + vnc
3416 * 6. tls + anon + sasl
3417 * 7. tls + x509 + none
3418 * 8. tls + x509 + vnc
3419 * 9. tls + x509 + sasl
3420 *
3421 * These need to be mapped into the VNC auth schemes
3422 * in an appropriate manner. In regular VNC, all the
3423 * TLS options get mapped into VNC_AUTH_VENCRYPT
3424 * sub-auth types.
3425 *
3426 * In websockets, the https:// protocol already provides
3427 * TLS support, so there is no need to make use of the
3428 * VeNCrypt extension. Furthermore, websockets browser
3429 * clients could not use VeNCrypt even if they wanted to,
3430 * as they cannot control when the TLS handshake takes
3431 * place. Thus there is no option but to rely on https://,
3432 * meaning combinations 4->6 and 7->9 will be mapped to
3433 * VNC auth schemes in the same way as combos 1->3.
3434 *
3435 * Regardless of fact that we have a different mapping to
3436 * VNC auth mechs for plain VNC vs websockets VNC, the end
3437 * result has the same security characteristics.
3438 */
3439 if (websocket || !tlscreds) {
3440 if (password) {
3441 VNC_DEBUG("Initializing VNC server with password auth\n");
3442 *auth = VNC_AUTH_VNC;
3443 } else if (sasl) {
3444 VNC_DEBUG("Initializing VNC server with SASL auth\n");
3445 *auth = VNC_AUTH_SASL;
3446 } else {
3447 VNC_DEBUG("Initializing VNC server with no auth\n");
3448 *auth = VNC_AUTH_NONE;
3449 }
3450 *subauth = VNC_AUTH_INVALID;
3451 } else {
3452 bool is_x509 = object_dynamic_cast(OBJECT(tlscreds),
3453 TYPE_QCRYPTO_TLS_CREDS_X509) != NULL;
3454 bool is_anon = object_dynamic_cast(OBJECT(tlscreds),
3455 TYPE_QCRYPTO_TLS_CREDS_ANON) != NULL;
3456
3457 if (!is_x509 && !is_anon) {
3458 error_setg(errp,
3459 "Unsupported TLS cred type %s",
3460 object_get_typename(OBJECT(tlscreds)));
3461 return -1;
3462 }
3463 *auth = VNC_AUTH_VENCRYPT;
3464 if (password) {
3465 if (is_x509) {
3466 VNC_DEBUG("Initializing VNC server with x509 password auth\n");
3467 *subauth = VNC_AUTH_VENCRYPT_X509VNC;
3468 } else {
3469 VNC_DEBUG("Initializing VNC server with TLS password auth\n");
3470 *subauth = VNC_AUTH_VENCRYPT_TLSVNC;
3471 }
3472
3473 } else if (sasl) {
3474 if (is_x509) {
3475 VNC_DEBUG("Initializing VNC server with x509 SASL auth\n");
3476 *subauth = VNC_AUTH_VENCRYPT_X509SASL;
3477 } else {
3478 VNC_DEBUG("Initializing VNC server with TLS SASL auth\n");
3479 *subauth = VNC_AUTH_VENCRYPT_TLSSASL;
3480 }
3481 } else {
3482 if (is_x509) {
3483 VNC_DEBUG("Initializing VNC server with x509 no auth\n");
3484 *subauth = VNC_AUTH_VENCRYPT_X509NONE;
3485 } else {
3486 VNC_DEBUG("Initializing VNC server with TLS no auth\n");
3487 *subauth = VNC_AUTH_VENCRYPT_TLSNONE;
3488 }
3489 }
3490 }
3491 return 0;
3492}
3493
3494
3495static int vnc_display_get_address(const char *addrstr,
3496 bool websocket,
3497 bool reverse,
3498 int displaynum,
3499 int to,
3500 bool has_ipv4,
3501 bool has_ipv6,
3502 bool ipv4,
3503 bool ipv6,
3504 SocketAddress **retaddr,
3505 Error **errp)
3506{
3507 int ret = -1;
3508 SocketAddress *addr = NULL;
3509
3510 addr = g_new0(SocketAddress, 1);
3511
3512 if (strncmp(addrstr, "unix:", 5) == 0) {
3513 addr->type = SOCKET_ADDRESS_TYPE_UNIX;
3514 addr->u.q_unix.path = g_strdup(addrstr + 5);
3515
3516 if (websocket) {
3517 error_setg(errp, "UNIX sockets not supported with websock");
3518 goto cleanup;
3519 }
3520
3521 if (to) {
3522 error_setg(errp, "Port range not support with UNIX socket");
3523 goto cleanup;
3524 }
3525 ret = 0;
3526 } else {
3527 const char *port;
3528 size_t hostlen;
3529 unsigned long long baseport = 0;
3530 InetSocketAddress *inet;
3531
3532 port = strrchr(addrstr, ':');
3533 if (!port) {
3534 if (websocket) {
3535 hostlen = 0;
3536 port = addrstr;
3537 } else {
3538 error_setg(errp, "no vnc port specified");
3539 goto cleanup;
3540 }
3541 } else {
3542 hostlen = port - addrstr;
3543 port++;
3544 if (*port == '\0') {
3545 error_setg(errp, "vnc port cannot be empty");
3546 goto cleanup;
3547 }
3548 }
3549
3550 addr->type = SOCKET_ADDRESS_TYPE_INET;
3551 inet = &addr->u.inet;
3552 if (addrstr[0] == '[' && addrstr[hostlen - 1] == ']') {
3553 inet->host = g_strndup(addrstr + 1, hostlen - 2);
3554 } else {
3555 inet->host = g_strndup(addrstr, hostlen);
3556 }
3557 /* plain VNC port is just an offset, for websocket
3558 * port is absolute */
3559 if (websocket) {
3560 if (g_str_equal(addrstr, "") ||
3561 g_str_equal(addrstr, "on")) {
3562 if (displaynum == -1) {
3563 error_setg(errp, "explicit websocket port is required");
3564 goto cleanup;
3565 }
3566 inet->port = g_strdup_printf(
3567 "%d", displaynum + 5700);
3568 if (to) {
3569 inet->has_to = true;
3570 inet->to = to + 5700;
3571 }
3572 } else {
3573 inet->port = g_strdup(port);
3574 }
3575 } else {
3576 int offset = reverse ? 0 : 5900;
3577 if (parse_uint_full(port, &baseport, 10) < 0) {
3578 error_setg(errp, "can't convert to a number: %s", port);
3579 goto cleanup;
3580 }
3581 if (baseport > 65535 ||
3582 baseport + offset > 65535) {
3583 error_setg(errp, "port %s out of range", port);
3584 goto cleanup;
3585 }
3586 inet->port = g_strdup_printf(
3587 "%d", (int)baseport + offset);
3588
3589 if (to) {
3590 inet->has_to = true;
3591 inet->to = to + offset;
3592 }
3593 }
3594
3595 inet->ipv4 = ipv4;
3596 inet->has_ipv4 = has_ipv4;
3597 inet->ipv6 = ipv6;
3598 inet->has_ipv6 = has_ipv6;
3599
3600 ret = baseport;
3601 }
3602
3603 *retaddr = addr;
3604
3605 cleanup:
3606 if (ret < 0) {
3607 qapi_free_SocketAddress(addr);
3608 }
3609 return ret;
3610}
3611
3612static void vnc_free_addresses(SocketAddress ***retsaddr,
3613 size_t *retnsaddr)
3614{
3615 size_t i;
3616
3617 for (i = 0; i < *retnsaddr; i++) {
3618 qapi_free_SocketAddress((*retsaddr)[i]);
3619 }
3620 g_free(*retsaddr);
3621
3622 *retsaddr = NULL;
3623 *retnsaddr = 0;
3624}
3625
3626static int vnc_display_get_addresses(QemuOpts *opts,
3627 bool reverse,
3628 SocketAddress ***retsaddr,
3629 size_t *retnsaddr,
3630 SocketAddress ***retwsaddr,
3631 size_t *retnwsaddr,
3632 Error **errp)
3633{
3634 SocketAddress *saddr = NULL;
3635 SocketAddress *wsaddr = NULL;
3636 QemuOptsIter addriter;
3637 const char *addr;
3638 int to = qemu_opt_get_number(opts, "to", 0);
3639 bool has_ipv4 = qemu_opt_get(opts, "ipv4");
3640 bool has_ipv6 = qemu_opt_get(opts, "ipv6");
3641 bool ipv4 = qemu_opt_get_bool(opts, "ipv4", false);
3642 bool ipv6 = qemu_opt_get_bool(opts, "ipv6", false);
3643 int displaynum = -1;
3644 int ret = -1;
3645
3646 *retsaddr = NULL;
3647 *retnsaddr = 0;
3648 *retwsaddr = NULL;
3649 *retnwsaddr = 0;
3650
3651 addr = qemu_opt_get(opts, "vnc");
3652 if (addr == NULL || g_str_equal(addr, "none")) {
3653 ret = 0;
3654 goto cleanup;
3655 }
3656 if (qemu_opt_get(opts, "websocket") &&
3657 !qcrypto_hash_supports(QCRYPTO_HASH_ALG_SHA1)) {
3658 error_setg(errp,
3659 "SHA1 hash support is required for websockets");
3660 goto cleanup;
3661 }
3662
3663 qemu_opt_iter_init(&addriter, opts, "vnc");
3664 while ((addr = qemu_opt_iter_next(&addriter)) != NULL) {
3665 int rv;
3666 rv = vnc_display_get_address(addr, false, reverse, 0, to,
3667 has_ipv4, has_ipv6,
3668 ipv4, ipv6,
3669 &saddr, errp);
3670 if (rv < 0) {
3671 goto cleanup;
3672 }
3673 /* Historical compat - first listen address can be used
3674 * to set the default websocket port
3675 */
3676 if (displaynum == -1) {
3677 displaynum = rv;
3678 }
3679 *retsaddr = g_renew(SocketAddress *, *retsaddr, *retnsaddr + 1);
3680 (*retsaddr)[(*retnsaddr)++] = saddr;
3681 }
3682
3683 /* If we had multiple primary displays, we don't do defaults
3684 * for websocket, and require explicit config instead. */
3685 if (*retnsaddr > 1) {
3686 displaynum = -1;
3687 }
3688
3689 qemu_opt_iter_init(&addriter, opts, "websocket");
3690 while ((addr = qemu_opt_iter_next(&addriter)) != NULL) {
3691 if (vnc_display_get_address(addr, true, reverse, displaynum, to,
3692 has_ipv4, has_ipv6,
3693 ipv4, ipv6,
3694 &wsaddr, errp) < 0) {
3695 goto cleanup;
3696 }
3697
3698 /* Historical compat - if only a single listen address was
3699 * provided, then this is used to set the default listen
3700 * address for websocket too
3701 */
3702 if (*retnsaddr == 1 &&
3703 (*retsaddr)[0]->type == SOCKET_ADDRESS_TYPE_INET &&
3704 wsaddr->type == SOCKET_ADDRESS_TYPE_INET &&
3705 g_str_equal(wsaddr->u.inet.host, "") &&
3706 !g_str_equal((*retsaddr)[0]->u.inet.host, "")) {
3707 g_free(wsaddr->u.inet.host);
3708 wsaddr->u.inet.host = g_strdup((*retsaddr)[0]->u.inet.host);
3709 }
3710
3711 *retwsaddr = g_renew(SocketAddress *, *retwsaddr, *retnwsaddr + 1);
3712 (*retwsaddr)[(*retnwsaddr)++] = wsaddr;
3713 }
3714
3715 ret = 0;
3716 cleanup:
3717 if (ret < 0) {
3718 vnc_free_addresses(retsaddr, retnsaddr);
3719 vnc_free_addresses(retwsaddr, retnwsaddr);
3720 }
3721 return ret;
3722}
3723
3724static int vnc_display_connect(VncDisplay *vd,
3725 SocketAddress **saddr,
3726 size_t nsaddr,
3727 SocketAddress **wsaddr,
3728 size_t nwsaddr,
3729 Error **errp)
3730{
3731 /* connect to viewer */
3732 QIOChannelSocket *sioc = NULL;
3733 if (nwsaddr != 0) {
3734 error_setg(errp, "Cannot use websockets in reverse mode");
3735 return -1;
3736 }
3737 if (nsaddr != 1) {
3738 error_setg(errp, "Expected a single address in reverse mode");
3739 return -1;
3740 }
3741 /* TODO SOCKET_ADDRESS_TYPE_FD when fd has AF_UNIX */
3742 vd->is_unix = saddr[0]->type == SOCKET_ADDRESS_TYPE_UNIX;
3743 sioc = qio_channel_socket_new();
3744 qio_channel_set_name(QIO_CHANNEL(sioc), "vnc-reverse");
3745 if (qio_channel_socket_connect_sync(sioc, saddr[0], errp) < 0) {
3746 return -1;
3747 }
3748 vnc_connect(vd, sioc, false, false);
3749 object_unref(OBJECT(sioc));
3750 return 0;
3751}
3752
3753
3754static int vnc_display_listen(VncDisplay *vd,
3755 SocketAddress **saddr,
3756 size_t nsaddr,
3757 SocketAddress **wsaddr,
3758 size_t nwsaddr,
3759 Error **errp)
3760{
3761 size_t i;
3762
3763 if (nsaddr) {
3764 vd->listener = qio_net_listener_new();
3765 qio_net_listener_set_name(vd->listener, "vnc-listen");
3766 for (i = 0; i < nsaddr; i++) {
3767 if (qio_net_listener_open_sync(vd->listener,
3768 saddr[i], 1,
3769 errp) < 0) {
3770 return -1;
3771 }
3772 }
3773
3774 qio_net_listener_set_client_func(vd->listener,
3775 vnc_listen_io, vd, NULL);
3776 }
3777
3778 if (nwsaddr) {
3779 vd->wslistener = qio_net_listener_new();
3780 qio_net_listener_set_name(vd->wslistener, "vnc-ws-listen");
3781 for (i = 0; i < nwsaddr; i++) {
3782 if (qio_net_listener_open_sync(vd->wslistener,
3783 wsaddr[i], 1,
3784 errp) < 0) {
3785 return -1;
3786 }
3787 }
3788
3789 qio_net_listener_set_client_func(vd->wslistener,
3790 vnc_listen_io, vd, NULL);
3791 }
3792
3793 return 0;
3794}
3795
3796
3797void vnc_display_open(const char *id, Error **errp)
3798{
3799 VncDisplay *vd = vnc_display_find(id);
3800 QemuOpts *opts = qemu_opts_find(&qemu_vnc_opts, id);
3801 SocketAddress **saddr = NULL, **wsaddr = NULL;
3802 size_t nsaddr, nwsaddr;
3803 const char *share, *device_id;
3804 QemuConsole *con;
3805 bool password = false;
3806 bool reverse = false;
3807 const char *credid;
3808 bool sasl = false;
3809 int acl = 0;
3810 const char *tlsauthz;
3811 const char *saslauthz;
3812 int lock_key_sync = 1;
3813 int key_delay_ms;
3814 const char *audiodev;
3815
3816 if (!vd) {
3817 error_setg(errp, "VNC display not active");
3818 return;
3819 }
3820 vnc_display_close(vd);
3821
3822 if (!opts) {
3823 return;
3824 }
3825
3826 reverse = qemu_opt_get_bool(opts, "reverse", false);
3827 if (vnc_display_get_addresses(opts, reverse, &saddr, &nsaddr,
3828 &wsaddr, &nwsaddr, errp) < 0) {
3829 goto fail;
3830 }
3831
3832 password = qemu_opt_get_bool(opts, "password", false);
3833 if (password) {
3834 if (fips_get_state()) {
3835 error_setg(errp,
3836 "VNC password auth disabled due to FIPS mode, "
3837 "consider using the VeNCrypt or SASL authentication "
3838 "methods as an alternative");
3839 goto fail;
3840 }
3841 if (!qcrypto_cipher_supports(
3842 QCRYPTO_CIPHER_ALG_DES_RFB, QCRYPTO_CIPHER_MODE_ECB)) {
3843 error_setg(errp,
3844 "Cipher backend does not support DES RFB algorithm");
3845 goto fail;
3846 }
3847 }
3848
3849 lock_key_sync = qemu_opt_get_bool(opts, "lock-key-sync", true);
3850 key_delay_ms = qemu_opt_get_number(opts, "key-delay-ms", 10);
3851 sasl = qemu_opt_get_bool(opts, "sasl", false);
3852#ifndef CONFIG_VNC_SASL
3853 if (sasl) {
3854 error_setg(errp, "VNC SASL auth requires cyrus-sasl support");
3855 goto fail;
3856 }
3857#endif /* CONFIG_VNC_SASL */
3858 credid = qemu_opt_get(opts, "tls-creds");
3859 if (credid) {
3860 Object *creds;
3861 creds = object_resolve_path_component(
3862 object_get_objects_root(), credid);
3863 if (!creds) {
3864 error_setg(errp, "No TLS credentials with id '%s'",
3865 credid);
3866 goto fail;
3867 }
3868 vd->tlscreds = (QCryptoTLSCreds *)
3869 object_dynamic_cast(creds,
3870 TYPE_QCRYPTO_TLS_CREDS);
3871 if (!vd->tlscreds) {
3872 error_setg(errp, "Object with id '%s' is not TLS credentials",
3873 credid);
3874 goto fail;
3875 }
3876 object_ref(OBJECT(vd->tlscreds));
3877
3878 if (vd->tlscreds->endpoint != QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) {
3879 error_setg(errp,
3880 "Expecting TLS credentials with a server endpoint");
3881 goto fail;
3882 }
3883 }
3884 if (qemu_opt_get(opts, "acl")) {
3885 error_report("The 'acl' option to -vnc is deprecated. "
3886 "Please use the 'tls-authz' and 'sasl-authz' "
3887 "options instead");
3888 }
3889 acl = qemu_opt_get_bool(opts, "acl", false);
3890 tlsauthz = qemu_opt_get(opts, "tls-authz");
3891 if (acl && tlsauthz) {
3892 error_setg(errp, "'acl' option is mutually exclusive with the "
3893 "'tls-authz' option");
3894 goto fail;
3895 }
3896 if (tlsauthz && !vd->tlscreds) {
3897 error_setg(errp, "'tls-authz' provided but TLS is not enabled");
3898 goto fail;
3899 }
3900
3901 saslauthz = qemu_opt_get(opts, "sasl-authz");
3902 if (acl && saslauthz) {
3903 error_setg(errp, "'acl' option is mutually exclusive with the "
3904 "'sasl-authz' option");
3905 goto fail;
3906 }
3907 if (saslauthz && !sasl) {
3908 error_setg(errp, "'sasl-authz' provided but SASL auth is not enabled");
3909 goto fail;
3910 }
3911
3912 share = qemu_opt_get(opts, "share");
3913 if (share) {
3914 if (strcmp(share, "ignore") == 0) {
3915 vd->share_policy = VNC_SHARE_POLICY_IGNORE;
3916 } else if (strcmp(share, "allow-exclusive") == 0) {
3917 vd->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
3918 } else if (strcmp(share, "force-shared") == 0) {
3919 vd->share_policy = VNC_SHARE_POLICY_FORCE_SHARED;
3920 } else {
3921 error_setg(errp, "unknown vnc share= option");
3922 goto fail;
3923 }
3924 } else {
3925 vd->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
3926 }
3927 vd->connections_limit = qemu_opt_get_number(opts, "connections", 32);
3928
3929#ifdef CONFIG_VNC_JPEG
3930 vd->lossy = qemu_opt_get_bool(opts, "lossy", false);
3931#endif
3932 vd->non_adaptive = qemu_opt_get_bool(opts, "non-adaptive", false);
3933 /* adaptive updates are only used with tight encoding and
3934 * if lossy updates are enabled so we can disable all the
3935 * calculations otherwise */
3936 if (!vd->lossy) {
3937 vd->non_adaptive = true;
3938 }
3939
3940 if (tlsauthz) {
3941 vd->tlsauthzid = g_strdup(tlsauthz);
3942 } else if (acl) {
3943 if (strcmp(vd->id, "default") == 0) {
3944 vd->tlsauthzid = g_strdup("vnc.x509dname");
3945 } else {
3946 vd->tlsauthzid = g_strdup_printf("vnc.%s.x509dname", vd->id);
3947 }
3948 vd->tlsauthz = QAUTHZ(qauthz_list_new(vd->tlsauthzid,
3949 QAUTHZ_LIST_POLICY_DENY,
3950 &error_abort));
3951 }
3952#ifdef CONFIG_VNC_SASL
3953 if (sasl) {
3954 if (saslauthz) {
3955 vd->sasl.authzid = g_strdup(saslauthz);
3956 } else if (acl) {
3957 if (strcmp(vd->id, "default") == 0) {
3958 vd->sasl.authzid = g_strdup("vnc.username");
3959 } else {
3960 vd->sasl.authzid = g_strdup_printf("vnc.%s.username", vd->id);
3961 }
3962 vd->sasl.authz = QAUTHZ(qauthz_list_new(vd->sasl.authzid,
3963 QAUTHZ_LIST_POLICY_DENY,
3964 &error_abort));
3965 }
3966 }
3967#endif
3968
3969 if (vnc_display_setup_auth(&vd->auth, &vd->subauth,
3970 vd->tlscreds, password,
3971 sasl, false, errp) < 0) {
3972 goto fail;
3973 }
3974 trace_vnc_auth_init(vd, 0, vd->auth, vd->subauth);
3975
3976 if (vnc_display_setup_auth(&vd->ws_auth, &vd->ws_subauth,
3977 vd->tlscreds, password,
3978 sasl, true, errp) < 0) {
3979 goto fail;
3980 }
3981 trace_vnc_auth_init(vd, 1, vd->ws_auth, vd->ws_subauth);
3982
3983#ifdef CONFIG_VNC_SASL
3984 if (sasl) {
3985 int saslErr = sasl_server_init(NULL, "qemu");
3986
3987 if (saslErr != SASL_OK) {
3988 error_setg(errp, "Failed to initialize SASL auth: %s",
3989 sasl_errstring(saslErr, NULL, NULL));
3990 goto fail;
3991 }
3992 }
3993#endif
3994 vd->lock_key_sync = lock_key_sync;
3995 if (lock_key_sync) {
3996 vd->led = qemu_add_led_event_handler(kbd_leds, vd);
3997 }
3998 vd->ledstate = 0;
3999
4000 audiodev = qemu_opt_get(opts, "audiodev");
4001 if (audiodev) {
4002 vd->audio_state = audio_state_by_name(audiodev);
4003 if (!vd->audio_state) {
4004 error_setg(errp, "Audiodev '%s' not found", audiodev);
4005 goto fail;
4006 }
4007 }
4008
4009 device_id = qemu_opt_get(opts, "display");
4010 if (device_id) {
4011 int head = qemu_opt_get_number(opts, "head", 0);
4012 Error *err = NULL;
4013
4014 con = qemu_console_lookup_by_device_name(device_id, head, &err);
4015 if (err) {
4016 error_propagate(errp, err);
4017 goto fail;
4018 }
4019 } else {
4020 con = NULL;
4021 }
4022
4023 if (con != vd->dcl.con) {
4024 qkbd_state_free(vd->kbd);
4025 unregister_displaychangelistener(&vd->dcl);
4026 vd->dcl.con = con;
4027 register_displaychangelistener(&vd->dcl);
4028 vd->kbd = qkbd_state_init(vd->dcl.con);
4029 }
4030 qkbd_state_set_delay(vd->kbd, key_delay_ms);
4031
4032 if (saddr == NULL) {
4033 goto cleanup;
4034 }
4035
4036 if (reverse) {
4037 if (vnc_display_connect(vd, saddr, nsaddr, wsaddr, nwsaddr, errp) < 0) {
4038 goto fail;
4039 }
4040 } else {
4041 if (vnc_display_listen(vd, saddr, nsaddr, wsaddr, nwsaddr, errp) < 0) {
4042 goto fail;
4043 }
4044 }
4045
4046 if (qemu_opt_get(opts, "to")) {
4047 vnc_display_print_local_addr(vd);
4048 }
4049
4050 cleanup:
4051 vnc_free_addresses(&saddr, &nsaddr);
4052 vnc_free_addresses(&wsaddr, &nwsaddr);
4053 return;
4054
4055fail:
4056 vnc_display_close(vd);
4057 goto cleanup;
4058}
4059
4060void vnc_display_add_client(const char *id, int csock, bool skipauth)
4061{
4062 VncDisplay *vd = vnc_display_find(id);
4063 QIOChannelSocket *sioc;
4064
4065 if (!vd) {
4066 return;
4067 }
4068
4069 sioc = qio_channel_socket_new_fd(csock, NULL);
4070 if (sioc) {
4071 qio_channel_set_name(QIO_CHANNEL(sioc), "vnc-server");
4072 vnc_connect(vd, sioc, skipauth, false);
4073 object_unref(OBJECT(sioc));
4074 }
4075}
4076
4077static void vnc_auto_assign_id(QemuOptsList *olist, QemuOpts *opts)
4078{
4079 int i = 2;
4080 char *id;
4081
4082 id = g_strdup("default");
4083 while (qemu_opts_find(olist, id)) {
4084 g_free(id);
4085 id = g_strdup_printf("vnc%d", i++);
4086 }
4087 qemu_opts_set_id(opts, id);
4088}
4089
4090QemuOpts *vnc_parse(const char *str, Error **errp)
4091{
4092 QemuOptsList *olist = qemu_find_opts("vnc");
4093 QemuOpts *opts = qemu_opts_parse(olist, str, true, errp);
4094 const char *id;
4095
4096 if (!opts) {
4097 return NULL;
4098 }
4099
4100 id = qemu_opts_id(opts);
4101 if (!id) {
4102 /* auto-assign id if not present */
4103 vnc_auto_assign_id(olist, opts);
4104 }
4105 return opts;
4106}
4107
4108int vnc_init_func(void *opaque, QemuOpts *opts, Error **errp)
4109{
4110 Error *local_err = NULL;
4111 char *id = (char *)qemu_opts_id(opts);
4112
4113 assert(id);
4114 vnc_display_init(id, &local_err);
4115 if (local_err) {
4116 error_propagate(errp, local_err);
4117 return -1;
4118 }
4119 vnc_display_open(id, &local_err);
4120 if (local_err != NULL) {
4121 error_propagate(errp, local_err);
4122 return -1;
4123 }
4124 return 0;
4125}
4126
4127static void vnc_register_config(void)
4128{
4129 qemu_add_opts(&qemu_vnc_opts);
4130}
4131opts_init(vnc_register_config);
4132