Archipelago » qemu

/*

 * QEMU VNC display driver

 *

 * Copyright (C) 2006 Anthony Liguori <anthony@codemonkey.ws>

 * Copyright (C) 2006 Fabrice Bellard

 * Copyright (C) 2009 Red Hat, Inc

 *

 * Permission is hereby granted, free of charge, to any person obtaining a copy

 * of this software and associated documentation files (the "Software"), to deal

 * in the Software without restriction, including without limitation the rights

 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell

 * copies of the Software, and to permit persons to whom the Software is

 * furnished to do so, subject to the following conditions:

 *

 * The above copyright notice and this permission notice shall be included in

 * all copies or substantial portions of the Software.

 *

 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,

 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL

 * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER

 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,

 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN

 * THE SOFTWARE.

 */

#include "vnc.h"

#include "vnc-jobs.h"

#include "sysemu.h"

#include "qemu_socket.h"

#include "qemu-timer.h"

#include "acl.h"

#include "qemu-objects.h"

#define VNC_REFRESH_INTERVAL_BASE 30

#define VNC_REFRESH_INTERVAL_INC  50

#define VNC_REFRESH_INTERVAL_MAX  2000

static const struct timeval VNC_REFRESH_STATS = { 0, 500000 };

static const struct timeval VNC_REFRESH_LOSSY = { 2, 0 };

#include "vnc_keysym.h"

#include "d3des.h"

static VncDisplay *vnc_display; /* needed for info vnc */

static DisplayChangeListener *dcl;

static int vnc_cursor_define(VncState *vs);

static char *addr_to_string(const char *format,

                            struct sockaddr_storage *sa,

                            socklen_t salen) {

    char *addr;

    char host[NI_MAXHOST];

    char serv[NI_MAXSERV];

    int err;

    size_t addrlen;

    if ((err = getnameinfo((struct sockaddr *)sa, salen,

                           host, sizeof(host),

                           serv, sizeof(serv),

                           NI_NUMERICHOST | NI_NUMERICSERV)) != 0) {

        VNC_DEBUG("Cannot resolve address %d: %s\n",

                  err, gai_strerror(err));

        return NULL;

    }

    /* Enough for the existing format + the 2 vars we're

     * substituting in. */

    addrlen = strlen(format) + strlen(host) + strlen(serv);

    addr = qemu_malloc(addrlen + 1);

    snprintf(addr, addrlen, format, host, serv);

    addr[addrlen] = '\0';

    return addr;

}

char *vnc_socket_local_addr(const char *format, int fd) {

    struct sockaddr_storage sa;

    socklen_t salen;

    salen = sizeof(sa);

    if (getsockname(fd, (struct sockaddr*)&sa, &salen) < 0)

        return NULL;

    return addr_to_string(format, &sa, salen);

}

char *vnc_socket_remote_addr(const char *format, int fd) {

    struct sockaddr_storage sa;

    socklen_t salen;

    salen = sizeof(sa);

    if (getpeername(fd, (struct sockaddr*)&sa, &salen) < 0)

        return NULL;

    return addr_to_string(format, &sa, salen);

}

static int put_addr_qdict(QDict *qdict, struct sockaddr_storage *sa,

                          socklen_t salen)

{

    char host[NI_MAXHOST];

    char serv[NI_MAXSERV];

    int err;

    if ((err = getnameinfo((struct sockaddr *)sa, salen,

                           host, sizeof(host),

                           serv, sizeof(serv),

                           NI_NUMERICHOST | NI_NUMERICSERV)) != 0) {

        VNC_DEBUG("Cannot resolve address %d: %s\n",

                  err, gai_strerror(err));

        return -1;

    }

    qdict_put(qdict, "host", qstring_from_str(host));

    qdict_put(qdict, "service", qstring_from_str(serv));

    qdict_put(qdict, "family",qstring_from_str(inet_strfamily(sa->ss_family)));

    return 0;

}

static int vnc_server_addr_put(QDict *qdict, int fd)

{

    struct sockaddr_storage sa;

    socklen_t salen;

    salen = sizeof(sa);

    if (getsockname(fd, (struct sockaddr*)&sa, &salen) < 0) {

        return -1;

    }

    return put_addr_qdict(qdict, &sa, salen);

}

static int vnc_qdict_remote_addr(QDict *qdict, int fd)

{

    struct sockaddr_storage sa;

    socklen_t salen;

    salen = sizeof(sa);

    if (getpeername(fd, (struct sockaddr*)&sa, &salen) < 0) {

        return -1;

    }

    return put_addr_qdict(qdict, &sa, salen);

}

static const char *vnc_auth_name(VncDisplay *vd) {

    switch (vd->auth) {

    case VNC_AUTH_INVALID:

        return "invalid";

    case VNC_AUTH_NONE:

        return "none";

    case VNC_AUTH_VNC:

        return "vnc";

    case VNC_AUTH_RA2:

        return "ra2";

    case VNC_AUTH_RA2NE:

        return "ra2ne";

    case VNC_AUTH_TIGHT:

        return "tight";

    case VNC_AUTH_ULTRA:

        return "ultra";

    case VNC_AUTH_TLS:

        return "tls";

    case VNC_AUTH_VENCRYPT:

#ifdef CONFIG_VNC_TLS

        switch (vd->subauth) {

        case VNC_AUTH_VENCRYPT_PLAIN:

            return "vencrypt+plain";

        case VNC_AUTH_VENCRYPT_TLSNONE:

            return "vencrypt+tls+none";

        case VNC_AUTH_VENCRYPT_TLSVNC:

            return "vencrypt+tls+vnc";

        case VNC_AUTH_VENCRYPT_TLSPLAIN:

            return "vencrypt+tls+plain";

        case VNC_AUTH_VENCRYPT_X509NONE:

            return "vencrypt+x509+none";

        case VNC_AUTH_VENCRYPT_X509VNC:

            return "vencrypt+x509+vnc";

        case VNC_AUTH_VENCRYPT_X509PLAIN:

            return "vencrypt+x509+plain";

        case VNC_AUTH_VENCRYPT_TLSSASL:

            return "vencrypt+tls+sasl";

        case VNC_AUTH_VENCRYPT_X509SASL:

            return "vencrypt+x509+sasl";

        default:

            return "vencrypt";

        }

#else

        return "vencrypt";

#endif

    case VNC_AUTH_SASL:

        return "sasl";

    }

    return "unknown";

}

static int vnc_server_info_put(QDict *qdict)

{

    if (vnc_server_addr_put(qdict, vnc_display->lsock) < 0) {

        return -1;

    }

    qdict_put(qdict, "auth", qstring_from_str(vnc_auth_name(vnc_display)));

    return 0;

}

static void vnc_client_cache_auth(VncState *client)

{

#if defined(CONFIG_VNC_TLS) || defined(CONFIG_VNC_SASL)

    QDict *qdict;

#endif

    if (!client->info) {

        return;

    }

#if defined(CONFIG_VNC_TLS) || defined(CONFIG_VNC_SASL)

    qdict = qobject_to_qdict(client->info);

#endif

#ifdef CONFIG_VNC_TLS

    if (client->tls.session &&

        client->tls.dname) {

        qdict_put(qdict, "x509_dname", qstring_from_str(client->tls.dname));

    }

#endif

#ifdef CONFIG_VNC_SASL

    if (client->sasl.conn &&

        client->sasl.username) {

        qdict_put(qdict, "sasl_username",

                  qstring_from_str(client->sasl.username));

    }

#endif

}

static void vnc_client_cache_addr(VncState *client)

{

    QDict *qdict;

    qdict = qdict_new();

    if (vnc_qdict_remote_addr(qdict, client->csock) < 0) {

        QDECREF(qdict);

        /* XXX: how to report the error? */

        return;

    }

    client->info = QOBJECT(qdict);

}

static void vnc_qmp_event(VncState *vs, MonitorEvent event)

{

    QDict *server;

    QObject *data;

    if (!vs->info) {

        return;

    }

    server = qdict_new();

    if (vnc_server_info_put(server) < 0) {

        QDECREF(server);

        return;

    }

    data = qobject_from_jsonf("{ 'client': %p, 'server': %p }",

                              vs->info, QOBJECT(server));

    monitor_protocol_event(event, data);

    qobject_incref(vs->info);

    qobject_decref(data);

}

static void info_vnc_iter(QObject *obj, void *opaque)

{

    QDict *client;

    Monitor *mon = opaque;

    client = qobject_to_qdict(obj);

    monitor_printf(mon, "Client:\n");

    monitor_printf(mon, "     address: %s:%s\n",

                   qdict_get_str(client, "host"),

                   qdict_get_str(client, "service"));

#ifdef CONFIG_VNC_TLS

    monitor_printf(mon, "  x509_dname: %s\n",

        qdict_haskey(client, "x509_dname") ?

        qdict_get_str(client, "x509_dname") : "none");

#endif

#ifdef CONFIG_VNC_SASL

    monitor_printf(mon, "    username: %s\n",

        qdict_haskey(client, "sasl_username") ?

        qdict_get_str(client, "sasl_username") : "none");

#endif

}

void do_info_vnc_print(Monitor *mon, const QObject *data)

{

    QDict *server;

    QList *clients;

    server = qobject_to_qdict(data);

    if (qdict_get_bool(server, "enabled") == 0) {

        monitor_printf(mon, "Server: disabled\n");

        return;

    }

    monitor_printf(mon, "Server:\n");

    monitor_printf(mon, "     address: %s:%s\n",

                   qdict_get_str(server, "host"),

                   qdict_get_str(server, "service"));

    monitor_printf(mon, "        auth: %s\n", qdict_get_str(server, "auth"));

    clients = qdict_get_qlist(server, "clients");

    if (qlist_empty(clients)) {

        monitor_printf(mon, "Client: none\n");

    } else {

        qlist_iter(clients, info_vnc_iter, mon);

    }

}

void do_info_vnc(Monitor *mon, QObject **ret_data)

{

    if (vnc_display == NULL || vnc_display->display == NULL) {

        *ret_data = qobject_from_jsonf("{ 'enabled': false }");

    } else {

        QList *clist;

        VncState *client;

        clist = qlist_new();

        QTAILQ_FOREACH(client, &vnc_display->clients, next) {

            if (client->info) {

                /* incref so that it's not freed by upper layers */

                qobject_incref(client->info);

                qlist_append_obj(clist, client->info);

            }

        }

        *ret_data = qobject_from_jsonf("{ 'enabled': true, 'clients': %p }",

                                       QOBJECT(clist));

        assert(*ret_data != NULL);

        if (vnc_server_info_put(qobject_to_qdict(*ret_data)) < 0) {

            qobject_decref(*ret_data);

            *ret_data = NULL;

        }

    }

}

/* TODO

   1) Get the queue working for IO.

   2) there is some weirdness when using the -S option (the screen is grey

      and not totally invalidated

   3) resolutions > 1024

*/

static int vnc_update_client(VncState *vs, int has_dirty);

static int vnc_update_client_sync(VncState *vs, int has_dirty);

static void vnc_disconnect_start(VncState *vs);

static void vnc_disconnect_finish(VncState *vs);

static void vnc_init_timer(VncDisplay *vd);

static void vnc_remove_timer(VncDisplay *vd);

static void vnc_colordepth(VncState *vs);

static void framebuffer_update_request(VncState *vs, int incremental,

                                       int x_position, int y_position,

                                       int w, int h);

static void vnc_refresh(void *opaque);

static int vnc_refresh_server_surface(VncDisplay *vd);

static void vnc_dpy_update(DisplayState *ds, int x, int y, int w, int h)

{

    int i;

    VncDisplay *vd = ds->opaque;

    struct VncSurface *s = &vd->guest;

    h += y;

    /* round x down to ensure the loop only spans one 16-pixel block per,

       iteration.  otherwise, if (x % 16) != 0, the last iteration may span

       two 16-pixel blocks but we only mark the first as dirty

    */

    w += (x % 16);

    x -= (x % 16);

    x = MIN(x, s->ds->width);

    y = MIN(y, s->ds->height);

    w = MIN(x + w, s->ds->width) - x;

    h = MIN(h, s->ds->height);

    for (; y < h; y++)

        for (i = 0; i < w; i += 16)

            set_bit((x + i) / 16, s->dirty[y]);

}

void vnc_framebuffer_update(VncState *vs, int x, int y, int w, int h,

                            int32_t encoding)

{

    vnc_write_u16(vs, x);

    vnc_write_u16(vs, y);

    vnc_write_u16(vs, w);

    vnc_write_u16(vs, h);

    vnc_write_s32(vs, encoding);

}

void buffer_reserve(Buffer *buffer, size_t len)

{

    if ((buffer->capacity - buffer->offset) < len) {

        buffer->capacity += (len + 1024);

        buffer->buffer = qemu_realloc(buffer->buffer, buffer->capacity);

        if (buffer->buffer == NULL) {

            fprintf(stderr, "vnc: out of memory\n");

            exit(1);

        }

    }

}

int buffer_empty(Buffer *buffer)

{

    return buffer->offset == 0;

}

uint8_t *buffer_end(Buffer *buffer)

{

    return buffer->buffer + buffer->offset;

}

void buffer_reset(Buffer *buffer)

{

        buffer->offset = 0;

}

void buffer_free(Buffer *buffer)

{

    qemu_free(buffer->buffer);

    buffer->offset = 0;

    buffer->capacity = 0;

    buffer->buffer = NULL;

}

void buffer_append(Buffer *buffer, const void *data, size_t len)

{

    memcpy(buffer->buffer + buffer->offset, data, len);

    buffer->offset += len;

}

static void vnc_desktop_resize(VncState *vs)

{

    DisplayState *ds = vs->ds;

    if (vs->csock == -1 || !vnc_has_feature(vs, VNC_FEATURE_RESIZE)) {

        return;

    }

    if (vs->client_width == ds_get_width(ds) &&

        vs->client_height == ds_get_height(ds)) {

        return;

    }

    vs->client_width = ds_get_width(ds);

    vs->client_height = ds_get_height(ds);

    vnc_lock_output(vs);

    vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);

    vnc_write_u8(vs, 0);

    vnc_write_u16(vs, 1); /* number of rects */

    vnc_framebuffer_update(vs, 0, 0, vs->client_width, vs->client_height,

                           VNC_ENCODING_DESKTOPRESIZE);

    vnc_unlock_output(vs);

    vnc_flush(vs);

}

#ifdef CONFIG_VNC_THREAD

static void vnc_abort_display_jobs(VncDisplay *vd)

{

    VncState *vs;

    QTAILQ_FOREACH(vs, &vd->clients, next) {

        vnc_lock_output(vs);

        vs->abort = true;

        vnc_unlock_output(vs);

    }

    QTAILQ_FOREACH(vs, &vd->clients, next) {

        vnc_jobs_join(vs);

    }

    QTAILQ_FOREACH(vs, &vd->clients, next) {

        vnc_lock_output(vs);

        vs->abort = false;

        vnc_unlock_output(vs);

    }

}

#else

static void vnc_abort_display_jobs(VncDisplay *vd)

{

}

#endif

static void vnc_dpy_resize(DisplayState *ds)

{

    VncDisplay *vd = ds->opaque;

    VncState *vs;

    vnc_abort_display_jobs(vd);

    /* server surface */

    if (!vd->server)

        vd->server = qemu_mallocz(sizeof(*vd->server));

    if (vd->server->data)

        qemu_free(vd->server->data);

    *(vd->server) = *(ds->surface);

    vd->server->data = qemu_mallocz(vd->server->linesize *

                                    vd->server->height);

    /* guest surface */

    if (!vd->guest.ds)

        vd->guest.ds = qemu_mallocz(sizeof(*vd->guest.ds));

    if (ds_get_bytes_per_pixel(ds) != vd->guest.ds->pf.bytes_per_pixel)

        console_color_init(ds);

    *(vd->guest.ds) = *(ds->surface);

    memset(vd->guest.dirty, 0xFF, sizeof(vd->guest.dirty));

    QTAILQ_FOREACH(vs, &vd->clients, next) {

        vnc_colordepth(vs);

        vnc_desktop_resize(vs);

        if (vs->vd->cursor) {

            vnc_cursor_define(vs);

        }

        memset(vs->dirty, 0xFF, sizeof(vs->dirty));

    }

}

/* fastest code */

static void vnc_write_pixels_copy(VncState *vs, struct PixelFormat *pf,

                                  void *pixels, int size)

{

    vnc_write(vs, pixels, size);

}

/* slowest but generic code. */

void vnc_convert_pixel(VncState *vs, uint8_t *buf, uint32_t v)

{

    uint8_t r, g, b;

    VncDisplay *vd = vs->vd;

    r = ((((v & vd->server->pf.rmask) >> vd->server->pf.rshift) << vs->clientds.pf.rbits) >>

        vd->server->pf.rbits);

    g = ((((v & vd->server->pf.gmask) >> vd->server->pf.gshift) << vs->clientds.pf.gbits) >>

        vd->server->pf.gbits);

    b = ((((v & vd->server->pf.bmask) >> vd->server->pf.bshift) << vs->clientds.pf.bbits) >>

        vd->server->pf.bbits);

    v = (r << vs->clientds.pf.rshift) |

        (g << vs->clientds.pf.gshift) |

        (b << vs->clientds.pf.bshift);

    switch(vs->clientds.pf.bytes_per_pixel) {

    case 1:

        buf[0] = v;

        break;

    case 2:

        if (vs->clientds.flags & QEMU_BIG_ENDIAN_FLAG) {

            buf[0] = v >> 8;

            buf[1] = v;

        } else {

            buf[1] = v >> 8;

            buf[0] = v;

        }

        break;

    default:

    case 4:

        if (vs->clientds.flags & QEMU_BIG_ENDIAN_FLAG) {

            buf[0] = v >> 24;

            buf[1] = v >> 16;

            buf[2] = v >> 8;

            buf[3] = v;

        } else {

            buf[3] = v >> 24;

            buf[2] = v >> 16;

            buf[1] = v >> 8;

            buf[0] = v;

        }

        break;

    }

}

static void vnc_write_pixels_generic(VncState *vs, struct PixelFormat *pf,

                                     void *pixels1, int size)

{

    uint8_t buf[4];

    if (pf->bytes_per_pixel == 4) {

        uint32_t *pixels = pixels1;

        int n, i;

        n = size >> 2;

        for(i = 0; i < n; i++) {

            vnc_convert_pixel(vs, buf, pixels[i]);

            vnc_write(vs, buf, vs->clientds.pf.bytes_per_pixel);

        }

    } else if (pf->bytes_per_pixel == 2) {

        uint16_t *pixels = pixels1;

        int n, i;

        n = size >> 1;

        for(i = 0; i < n; i++) {

            vnc_convert_pixel(vs, buf, pixels[i]);

            vnc_write(vs, buf, vs->clientds.pf.bytes_per_pixel);

        }

    } else if (pf->bytes_per_pixel == 1) {

        uint8_t *pixels = pixels1;

        int n, i;

        n = size;

        for(i = 0; i < n; i++) {

            vnc_convert_pixel(vs, buf, pixels[i]);

            vnc_write(vs, buf, vs->clientds.pf.bytes_per_pixel);

        }

    } else {

        fprintf(stderr, "vnc_write_pixels_generic: VncState color depth not supported\n");

    }

}

int vnc_raw_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)

{

    int i;

    uint8_t *row;

    VncDisplay *vd = vs->vd;

    row = vd->server->data + y * ds_get_linesize(vs->ds) + x * ds_get_bytes_per_pixel(vs->ds);

    for (i = 0; i < h; i++) {

        vs->write_pixels(vs, &vd->server->pf, row, w * ds_get_bytes_per_pixel(vs->ds));

        row += ds_get_linesize(vs->ds);

    }

    return 1;

}

int vnc_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)

{

    int n = 0;

    switch(vs->vnc_encoding) {

        case VNC_ENCODING_ZLIB:

            n = vnc_zlib_send_framebuffer_update(vs, x, y, w, h);

            break;

        case VNC_ENCODING_HEXTILE:

            vnc_framebuffer_update(vs, x, y, w, h, VNC_ENCODING_HEXTILE);

            n = vnc_hextile_send_framebuffer_update(vs, x, y, w, h);

            break;

        case VNC_ENCODING_TIGHT:

            n = vnc_tight_send_framebuffer_update(vs, x, y, w, h);

            break;

        case VNC_ENCODING_TIGHT_PNG:

            n = vnc_tight_png_send_framebuffer_update(vs, x, y, w, h);

            break;

        case VNC_ENCODING_ZRLE:

            n = vnc_zrle_send_framebuffer_update(vs, x, y, w, h);

            break;

        case VNC_ENCODING_ZYWRLE:

            n = vnc_zywrle_send_framebuffer_update(vs, x, y, w, h);

            break;

        default:

            vnc_framebuffer_update(vs, x, y, w, h, VNC_ENCODING_RAW);

            n = vnc_raw_send_framebuffer_update(vs, x, y, w, h);

            break;

    }

    return n;

}

static void vnc_copy(VncState *vs, int src_x, int src_y, int dst_x, int dst_y, int w, int h)

{

    /* send bitblit op to the vnc client */

    vnc_lock_output(vs);

    vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);

    vnc_write_u8(vs, 0);

    vnc_write_u16(vs, 1); /* number of rects */

    vnc_framebuffer_update(vs, dst_x, dst_y, w, h, VNC_ENCODING_COPYRECT);

    vnc_write_u16(vs, src_x);

    vnc_write_u16(vs, src_y);

    vnc_unlock_output(vs);

    vnc_flush(vs);

}

static void vnc_dpy_copy(DisplayState *ds, int src_x, int src_y, int dst_x, int dst_y, int w, int h)

{

    VncDisplay *vd = ds->opaque;

    VncState *vs, *vn;

    uint8_t *src_row;

    uint8_t *dst_row;

    int i,x,y,pitch,depth,inc,w_lim,s;

    int cmp_bytes;

    vnc_refresh_server_surface(vd);

    QTAILQ_FOREACH_SAFE(vs, &vd->clients, next, vn) {

        if (vnc_has_feature(vs, VNC_FEATURE_COPYRECT)) {

            vs->force_update = 1;

            vnc_update_client_sync(vs, 1);

            /* vs might be free()ed here */

        }

    }

    /* do bitblit op on the local surface too */

    pitch = ds_get_linesize(vd->ds);

    depth = ds_get_bytes_per_pixel(vd->ds);

    src_row = vd->server->data + pitch * src_y + depth * src_x;

    dst_row = vd->server->data + pitch * dst_y + depth * dst_x;

    y = dst_y;

    inc = 1;

    if (dst_y > src_y) {

        /* copy backwards */

        src_row += pitch * (h-1);

        dst_row += pitch * (h-1);

        pitch = -pitch;

        y = dst_y + h - 1;

        inc = -1;

    }

    w_lim = w - (16 - (dst_x % 16));

    if (w_lim < 0)

        w_lim = w;

    else

        w_lim = w - (w_lim % 16);

    for (i = 0; i < h; i++) {

        for (x = 0; x <= w_lim;

                x += s, src_row += cmp_bytes, dst_row += cmp_bytes) {

            if (x == w_lim) {

                if ((s = w - w_lim) == 0)

                    break;

            } else if (!x) {

                s = (16 - (dst_x % 16));

                s = MIN(s, w_lim);

            } else {

                s = 16;

            }

            cmp_bytes = s * depth;

            if (memcmp(src_row, dst_row, cmp_bytes) == 0)

                continue;

            memmove(dst_row, src_row, cmp_bytes);

            QTAILQ_FOREACH(vs, &vd->clients, next) {

                if (!vnc_has_feature(vs, VNC_FEATURE_COPYRECT)) {

                    set_bit(((x + dst_x) / 16), vs->dirty[y]);

                }

            }

        }

        src_row += pitch - w * depth;

        dst_row += pitch - w * depth;

        y += inc;

    }

    QTAILQ_FOREACH(vs, &vd->clients, next) {

        if (vnc_has_feature(vs, VNC_FEATURE_COPYRECT)) {

            vnc_copy(vs, src_x, src_y, dst_x, dst_y, w, h);

        }

    }

}

static void vnc_mouse_set(int x, int y, int visible)

{

    /* can we ask the client(s) to move the pointer ??? */

}

static int vnc_cursor_define(VncState *vs)

{

    QEMUCursor *c = vs->vd->cursor;

    PixelFormat pf = qemu_default_pixelformat(32);

    int isize;

    if (vnc_has_feature(vs, VNC_FEATURE_RICH_CURSOR)) {

        vnc_lock_output(vs);

        vnc_write_u8(vs,  VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);

        vnc_write_u8(vs,  0);  /*  padding     */

        vnc_write_u16(vs, 1);  /*  # of rects  */

        vnc_framebuffer_update(vs, c->hot_x, c->hot_y, c->width, c->height,

                               VNC_ENCODING_RICH_CURSOR);

        isize = c->width * c->height * vs->clientds.pf.bytes_per_pixel;

        vnc_write_pixels_generic(vs, &pf, c->data, isize);

        vnc_write(vs, vs->vd->cursor_mask, vs->vd->cursor_msize);

        vnc_unlock_output(vs);

        return 0;

    }

    return -1;

}

static void vnc_dpy_cursor_define(QEMUCursor *c)

{

    VncDisplay *vd = vnc_display;

    VncState *vs;

    cursor_put(vd->cursor);

    qemu_free(vd->cursor_mask);

    vd->cursor = c;

    cursor_get(vd->cursor);

    vd->cursor_msize = cursor_get_mono_bpl(c) * c->height;

    vd->cursor_mask = qemu_mallocz(vd->cursor_msize);

    cursor_get_mono_mask(c, 0, vd->cursor_mask);

    QTAILQ_FOREACH(vs, &vd->clients, next) {

        vnc_cursor_define(vs);

    }

}

static int find_and_clear_dirty_height(struct VncState *vs,

                                       int y, int last_x, int x)

{

    int h;

    VncDisplay *vd = vs->vd;

    for (h = 1; h < (vd->server->height - y); h++) {

        int tmp_x;

        if (!test_bit(last_x, vs->dirty[y + h])) {

            break;

        }

        for (tmp_x = last_x; tmp_x < x; tmp_x++) {

            clear_bit(tmp_x, vs->dirty[y + h]);

        }

    }

    return h;

}

#ifdef CONFIG_VNC_THREAD

static int vnc_update_client_sync(VncState *vs, int has_dirty)

{

    int ret = vnc_update_client(vs, has_dirty);

    vnc_jobs_join(vs);

    return ret;

}

#else

static int vnc_update_client_sync(VncState *vs, int has_dirty)

{

    return vnc_update_client(vs, has_dirty);

}

#endif

static int vnc_update_client(VncState *vs, int has_dirty)

{

    if (vs->need_update && vs->csock != -1) {

        VncDisplay *vd = vs->vd;

        VncJob *job;

        int y;

        int width, height;

        int n = 0;

        if (vs->output.offset && !vs->audio_cap && !vs->force_update)

            /* kernel send buffers are full -> drop frames to throttle */

            return 0;

        if (!has_dirty && !vs->audio_cap && !vs->force_update)

            return 0;

        /*

         * Send screen updates to the vnc client using the server

         * surface and server dirty map.  guest surface updates

         * happening in parallel don't disturb us, the next pass will

         * send them to the client.

         */

        job = vnc_job_new(vs);

        width = MIN(vd->server->width, vs->client_width);

        height = MIN(vd->server->height, vs->client_height);

        for (y = 0; y < height; y++) {

            int x;

            int last_x = -1;

            for (x = 0; x < width / 16; x++) {

                if (test_and_clear_bit(x, vs->dirty[y])) {

                    if (last_x == -1) {

                        last_x = x;

                    }

                } else {

                    if (last_x != -1) {

                        int h = find_and_clear_dirty_height(vs, y, last_x, x);

                        n += vnc_job_add_rect(job, last_x * 16, y,

                                              (x - last_x) * 16, h);

                    }

                    last_x = -1;

                }

            }

            if (last_x != -1) {

                int h = find_and_clear_dirty_height(vs, y, last_x, x);

                n += vnc_job_add_rect(job, last_x * 16, y,

                                      (x - last_x) * 16, h);

            }

        }

        vnc_job_push(job);

        vs->force_update = 0;

        return n;

    }

    if (vs->csock == -1)

        vnc_disconnect_finish(vs);

    return 0;

}

/* audio */

static void audio_capture_notify(void *opaque, audcnotification_e cmd)

{

    VncState *vs = opaque;

    switch (cmd) {

    case AUD_CNOTIFY_DISABLE:

        vnc_lock_output(vs);

        vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);

        vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);

        vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_END);

        vnc_unlock_output(vs);

        vnc_flush(vs);

        break;

    case AUD_CNOTIFY_ENABLE:

        vnc_lock_output(vs);

        vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);

        vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);

        vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_BEGIN);

        vnc_unlock_output(vs);

        vnc_flush(vs);

        break;

    }

}

static void audio_capture_destroy(void *opaque)

{

}

static void audio_capture(void *opaque, void *buf, int size)

{

    VncState *vs = opaque;

    vnc_lock_output(vs);

    vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);

    vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);

    vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_DATA);

    vnc_write_u32(vs, size);

    vnc_write(vs, buf, size);

    vnc_unlock_output(vs);

    vnc_flush(vs);

}

static void audio_add(VncState *vs)

{

    struct audio_capture_ops ops;

    if (vs->audio_cap) {

        monitor_printf(default_mon, "audio already running\n");

        return;

    }

    ops.notify = audio_capture_notify;

    ops.destroy = audio_capture_destroy;

    ops.capture = audio_capture;

    vs->audio_cap = AUD_add_capture(&vs->as, &ops, vs);

    if (!vs->audio_cap) {

        monitor_printf(default_mon, "Failed to add audio capture\n");

    }

}

static void audio_del(VncState *vs)

{

    if (vs->audio_cap) {

        AUD_del_capture(vs->audio_cap, vs);

        vs->audio_cap = NULL;

    }

}

static void vnc_disconnect_start(VncState *vs)

{

    if (vs->csock == -1)

        return;

    qemu_set_fd_handler2(vs->csock, NULL, NULL, NULL, NULL);

    closesocket(vs->csock);

    vs->csock = -1;

}

static void vnc_disconnect_finish(VncState *vs)

{

    int i;

    vnc_jobs_join(vs); /* Wait encoding jobs */

    vnc_lock_output(vs);

    vnc_qmp_event(vs, QEVENT_VNC_DISCONNECTED);

    buffer_free(&vs->input);

    buffer_free(&vs->output);

    qobject_decref(vs->info);

    vnc_zlib_clear(vs);

    vnc_tight_clear(vs);

    vnc_zrle_clear(vs);

#ifdef CONFIG_VNC_TLS

    vnc_tls_client_cleanup(vs);

#endif /* CONFIG_VNC_TLS */

#ifdef CONFIG_VNC_SASL

    vnc_sasl_client_cleanup(vs);

#endif /* CONFIG_VNC_SASL */

    audio_del(vs);

    QTAILQ_REMOVE(&vs->vd->clients, vs, next);

    if (QTAILQ_EMPTY(&vs->vd->clients)) {

        dcl->idle = 1;

    }

    qemu_remove_mouse_mode_change_notifier(&vs->mouse_mode_notifier);

    vnc_remove_timer(vs->vd);

    if (vs->vd->lock_key_sync)

        qemu_remove_led_event_handler(vs->led);

    vnc_unlock_output(vs);

#ifdef CONFIG_VNC_THREAD

    qemu_mutex_destroy(&vs->output_mutex);

#endif

    for (i = 0; i < VNC_STAT_ROWS; ++i) {

        qemu_free(vs->lossy_rect[i]);

    }

    qemu_free(vs->lossy_rect);

    qemu_free(vs);

}

int vnc_client_io_error(VncState *vs, int ret, int last_errno)

{

    if (ret == 0 || ret == -1) {

        if (ret == -1) {

            switch (last_errno) {

                case EINTR:

                case EAGAIN:

#ifdef _WIN32

                case WSAEWOULDBLOCK:

#endif

                    return 0;

                default:

                    break;

            }

        }

        VNC_DEBUG("Closing down client sock: ret %d, errno %d\n",

                  ret, ret < 0 ? last_errno : 0);

        vnc_disconnect_start(vs);

        return 0;

    }

    return ret;

}

void vnc_client_error(VncState *vs)

{

    VNC_DEBUG("Closing down client sock: protocol error\n");

    vnc_disconnect_start(vs);

}

/*

 * Called to write a chunk of data to the client socket. The data may

 * be the raw data, or may have already been encoded by SASL.

 * The data will be written either straight onto the socket, or

 * written via the GNUTLS wrappers, if TLS/SSL encryption is enabled

 *

 * NB, it is theoretically possible to have 2 layers of encryption,

 * both SASL, and this TLS layer. It is highly unlikely in practice

 * though, since SASL encryption will typically be a no-op if TLS

 * is active

 *

 * Returns the number of bytes written, which may be less than

 * the requested 'datalen' if the socket would block. Returns

 * -1 on error, and disconnects the client socket.

 */

long vnc_client_write_buf(VncState *vs, const uint8_t *data, size_t datalen)

{

    long ret;

#ifdef CONFIG_VNC_TLS

    if (vs->tls.session) {

        ret = gnutls_write(vs->tls.session, data, datalen);

        if (ret < 0) {

            if (ret == GNUTLS_E_AGAIN)

                errno = EAGAIN;

            else

                errno = EIO;

            ret = -1;

        }

    } else

#endif /* CONFIG_VNC_TLS */

        ret = send(vs->csock, (const void *)data, datalen, 0);

    VNC_DEBUG("Wrote wire %p %zd -> %ld\n", data, datalen, ret);

    return vnc_client_io_error(vs, ret, socket_error());

}

/*

 * Called to write buffered data to the client socket, when not

 * using any SASL SSF encryption layers. Will write as much data

 * as possible without blocking. If all buffered data is written,

 * will switch the FD poll() handler back to read monitoring.

 *

 * Returns the number of bytes written, which may be less than

 * the buffered output data if the socket would block. Returns

 * -1 on error, and disconnects the client socket.

 */

static long vnc_client_write_plain(VncState *vs)

{

    long ret;

#ifdef CONFIG_VNC_SASL

    VNC_DEBUG("Write Plain: Pending output %p size %zd offset %zd. Wait SSF %d\n",

              vs->output.buffer, vs->output.capacity, vs->output.offset,

              vs->sasl.waitWriteSSF);

    if (vs->sasl.conn &&

        vs->sasl.runSSF &&

        vs->sasl.waitWriteSSF) {

        ret = vnc_client_write_buf(vs, vs->output.buffer, vs->sasl.waitWriteSSF);

        if (ret)

            vs->sasl.waitWriteSSF -= ret;

    } else

#endif /* CONFIG_VNC_SASL */

        ret = vnc_client_write_buf(vs, vs->output.buffer, vs->output.offset);

    if (!ret)

        return 0;

    memmove(vs->output.buffer, vs->output.buffer + ret, (vs->output.offset - ret));

    vs->output.offset -= ret;

    if (vs->output.offset == 0) {

        qemu_set_fd_handler2(vs->csock, NULL, vnc_client_read, NULL, vs);

    }

    return ret;

}

/*

 * First function called whenever there is data to be written to

 * the client socket. Will delegate actual work according to whether

 * SASL SSF layers are enabled (thus requiring encryption calls)

 */

static void vnc_client_write_locked(void *opaque)

{

    VncState *vs = opaque;

#ifdef CONFIG_VNC_SASL

    if (vs->sasl.conn &&

        vs->sasl.runSSF &&

        !vs->sasl.waitWriteSSF) {

        vnc_client_write_sasl(vs);

    } else

#endif /* CONFIG_VNC_SASL */

        vnc_client_write_plain(vs);

}

void vnc_client_write(void *opaque)

{

    VncState *vs = opaque;

    vnc_lock_output(vs);

    if (vs->output.offset) {

        vnc_client_write_locked(opaque);

    } else if (vs->csock != -1) {

        qemu_set_fd_handler2(vs->csock, NULL, vnc_client_read, NULL, vs);

    }

    vnc_unlock_output(vs);

}

void vnc_read_when(VncState *vs, VncReadEvent *func, size_t expecting)

{

    vs->read_handler = func;

    vs->read_handler_expect = expecting;

}

/*

 * Called to read a chunk of data from the client socket. The data may

 * be the raw data, or may need to be further decoded by SASL.

 * The data will be read either straight from to the socket, or

 * read via the GNUTLS wrappers, if TLS/SSL encryption is enabled

 *

 * NB, it is theoretically possible to have 2 layers of encryption,

 * both SASL, and this TLS layer. It is highly unlikely in practice

 * though, since SASL encryption will typically be a no-op if TLS

 * is active

 *

 * Returns the number of bytes read, which may be less than

 * the requested 'datalen' if the socket would block. Returns

 * -1 on error, and disconnects the client socket.

 */

long vnc_client_read_buf(VncState *vs, uint8_t *data, size_t datalen)

{

    long ret;

#ifdef CONFIG_VNC_TLS

    if (vs->tls.session) {

        ret = gnutls_read(vs->tls.session, data, datalen);

        if (ret < 0) {

            if (ret == GNUTLS_E_AGAIN)

                errno = EAGAIN;

            else

                errno = EIO;

            ret = -1;

        }

    } else

#endif /* CONFIG_VNC_TLS */

        ret = recv(vs->csock, (void *)data, datalen, 0);

    VNC_DEBUG("Read wire %p %zd -> %ld\n", data, datalen, ret);

    return vnc_client_io_error(vs, ret, socket_error());

}

/*

 * Called to read data from the client socket to the input buffer,

 * when not using any SASL SSF encryption layers. Will read as much

 * data as possible without blocking.

 *

 * Returns the number of bytes read. Returns -1 on error, and

 * disconnects the client socket.

 */

static long vnc_client_read_plain(VncState *vs)

{

    int ret;

    VNC_DEBUG("Read plain %p size %zd offset %zd\n",

              vs->input.buffer, vs->input.capacity, vs->input.offset);

    buffer_reserve(&vs->input, 4096);

    ret = vnc_client_read_buf(vs, buffer_end(&vs->input), 4096);

    if (!ret)

        return 0;

    vs->input.offset += ret;

    return ret;

}

/*

 * First function called whenever there is more data to be read from

 * the client socket. Will delegate actual work according to whether

 * SASL SSF layers are enabled (thus requiring decryption calls)

 */

void vnc_client_read(void *opaque)

{

    VncState *vs = opaque;

    long ret;

#ifdef CONFIG_VNC_SASL

    if (vs->sasl.conn && vs->sasl.runSSF)

        ret = vnc_client_read_sasl(vs);

    else

#endif /* CONFIG_VNC_SASL */

        ret = vnc_client_read_plain(vs);

    if (!ret) {

        if (vs->csock == -1)

            vnc_disconnect_finish(vs);

        return;

    }

    while (vs->read_handler && vs->input.offset >= vs->read_handler_expect) {

        size_t len = vs->read_handler_expect;

        int ret;

        ret = vs->read_handler(vs, vs->input.buffer, len);

        if (vs->csock == -1) {

            vnc_disconnect_finish(vs);

            return;

        }

        if (!ret) {

            memmove(vs->input.buffer, vs->input.buffer + len, (vs->input.offset - len));

            vs->input.offset -= len;

        } else {

            vs->read_handler_expect = ret;

        }

    }

}

void vnc_write(VncState *vs, const void *data, size_t len)

{

    buffer_reserve(&vs->output, len);

    if (vs->csock != -1 && buffer_empty(&vs->output)) {

        qemu_set_fd_handler2(vs->csock, NULL, vnc_client_read, vnc_client_write, vs);

    }

    buffer_append(&vs->output, data, len);

}

void vnc_write_s32(VncState *vs, int32_t value)

{

    vnc_write_u32(vs, *(uint32_t *)&value);

}

void vnc_write_u32(VncState *vs, uint32_t value)

{

    uint8_t buf[4];

    buf[0] = (value >> 24) & 0xFF;

    buf[1] = (value >> 16) & 0xFF;

    buf[2] = (value >>  8) & 0xFF;

    buf[3] = value & 0xFF;

    vnc_write(vs, buf, 4);

}

void vnc_write_u16(VncState *vs, uint16_t value)

{

    uint8_t buf[2];

    buf[0] = (value >> 8) & 0xFF;

    buf[1] = value & 0xFF;

    vnc_write(vs, buf, 2);

}

void vnc_write_u8(VncState *vs, uint8_t value)

{

    vnc_write(vs, (char *)&value, 1);

}

void vnc_flush(VncState *vs)

{

    vnc_lock_output(vs);

    if (vs->csock != -1 && vs->output.offset) {

        vnc_client_write_locked(vs);

    }

    vnc_unlock_output(vs);

}

uint8_t read_u8(uint8_t *data, size_t offset)

{

    return data[offset];

}

uint16_t read_u16(uint8_t *data, size_t offset)

{

    return ((data[offset] & 0xFF) << 8) | (data[offset + 1] & 0xFF);

}

int32_t read_s32(uint8_t *data, size_t offset)

{

    return (int32_t)((data[offset] << 24) | (data[offset + 1] << 16) |

                     (data[offset + 2] << 8) | data[offset + 3]);

}

uint32_t read_u32(uint8_t *data, size_t offset)

{

    return ((data[offset] << 24) | (data[offset + 1] << 16) |

            (data[offset + 2] << 8) | data[offset + 3]);

}

static void client_cut_text(VncState *vs, size_t len, uint8_t *text)

{

}