this patch makes the VNC server work correctly if the
server surface and the guest surface have different sizes.

Basically the server surface is adjusted to not exceed VNC_MAX_WIDTH
x VNC_MAX_HEIGHT and additionally the width is rounded up to multiple of
VNC_DIRTY_PIXELS_PER_BIT.

If we have a resolution whose width is not dividable by VNC_DIRTY_PIXELS_PER_BIT
we now get a small black bar on the right of the screen.

If the surface is too big to fit the limits only the upper left area is shown.

On top of that this fixes 2 memory corruption issues:

The first was actually discovered during playing
around with a Windows 7 vServer. During resolution
change in Windows 7 it happens sometimes that Windows
changes to an intermediate resolution where
server_stride % cmp_bytes != 0 (in vnc_refresh_server_surface).
This happens only if width % VNC_DIRTY_PIXELS_PER_BIT != 0.

The second is a theoretical issue, but is maybe exploitable
by the guest. If for some reason the guest surface size is bigger
than VNC_MAX_WIDTH x VNC_MAX_HEIGHT we end up in severe corruption since
this limit is nowhere enforced.
Signed-off-by: NPeter Lieven <pl@kamp.de>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

currently a malicious client could define a payload
size of 2^32 - 1 bytes and send up to that size of
data to the vnc server. The server would allocated
that amount of memory which could easily create an
out of memory condition.

This patch limits the payload size to 1MB max.

Please note that client_cut_text messages are currently
silently ignored.
Signed-off-by: NPeter Lieven <pl@kamp.de>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

Since VNC_CONNECTED, VNC_DISCONNECTED, VNC_INITIALIZED share some
common functions, convert them in one patch.
Signed-off-by: NWenchao Xia <wenchaoqemu@gmail.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>
Signed-off-by: NLuiz Capitulino <lcapitulino@redhat.com>

In order to let event defines use existing types later, instead of
redefine new ones, some old type defines for spice and vnc are changed,
and BlockErrorAction is moved from block.h to qapi schema. Note that
BlockErrorAction is not merged with BlockdevOnError.

At this point, VncInfo is not made a child of VncBasicInfo, because
VncBasicInfo has mandatory fields where VncInfo makes them optional.
Signed-off-by: NWenchao Xia <wenchaoqemu@gmail.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>
Signed-off-by: NLuiz Capitulino <lcapitulino@redhat.com>

Bug was added by 38ee14f4.
vnc_jobs_join call is missing in one code path.
Reported-by: NAnthony PERARD <anthony.perard@citrix.com>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

Current code silently changes the authentication settings
in case you try to set a password without password authentication
turned on.  This is bad.  Return an error instead.

If we want allow changing auth settings at runtime this should
be done explicitly using a separate monitor command, not as
side effect of set_passwd.
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

These errors don't seem user initiated, so forcibly printing to the
monitor doesn't seem right. Just use error_report.

Cc: Anthony Liguori <aliguori@amazon.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: NCole Robinson <crobinso@redhat.com>
Reviewed-by: NPaolo Bonzini <pbonzini@redhat.com>
Signed-off-by: NLuiz Capitulino <lcapitulino@redhat.com>

this fixes invalid rectangle updates observed after commit 12b316d4
with the vmware VGA driver. The issues occured because the server
and client surface update seems to be out of sync at some points
and the max width of the surface is not dividable by
VNC_DIRTY_BITS_PER_PIXEL (16).
Reported-by: NSerge Hallyn <serge.hallyn@ubuntu.com>
Signed-off-by: NPeter Lieven <pl@kamp.de>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

Signed-off-by: NPeter Lieven <pl@kamp.de>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

Signed-off-by: NPeter Lieven <pl@kamp.de>
Reviewed-by: NWenchao Xia <xiawenc@linux.vnet.ibm.com>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

The following artifical test (just the bitmap operation part) running
vnc_update_client 65536 times on a 2560x2048 surface illustrates the
performance difference:

All bits clean - vnc_update_client_new: 0.07 secs
                 vnc_update_client_new2: 0.07 secs
                 vnc_update_client_old: 10.98 secs

All bits dirty - vnc_update_client_new: 11.26 secs
               - vnc_update_client_new2: 0.29 secs
                 vnc_update_client_old: 20.19 secs

Few bits dirty - vnc_update_client_new: 0.07 secs
               - vnc_update_client_new2: 0.07 secs
                 vnc_update_client_old: 10.98 secs

vnc_update_client_new2 shows the performance of vnc_update_client
with this patch added.

Comparing with the test run of the last patch the performance
is at least unchanged while it is significantly improved
for the all bits dirty case.
Signed-off-by: NPeter Lieven <pl@kamp.de>
Reviewed-by: NWenchao Xia <xiawenc@linux.vnet.ibm.com>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

vnc_update_client currently scans the dirty bitmap of each client
bitwise which is a very costly operation if only few bits are dirty.
vnc_refresh_server_surface does almost the same.
this patch optimizes both by utilizing the heavily optimized
function find_next_bit to find the offset of the next dirty
bit in the dirty bitmaps.

The following artifical test (just the bitmap operation part) running
vnc_update_client 65536 times on a 2560x2048 surface illustrates the
performance difference:

All bits clean - vnc_update_client_new: 0.07 secs
 vnc_update_client_old: 10.98 secs

All bits dirty - vnc_update_client_new: 11.26 secs
 vnc_update_client_old: 20.19 secs

Few bits dirty - vnc_update_client_new: 0.08 secs
 vnc_update_client_old: 10.98 secs

The case for all bits dirty is still rather slow, this
is due to the implementation of find_and_clear_dirty_height.
This will be addresses in a separate patch.
Signed-off-by: NPeter Lieven <pl@kamp.de>
Reviewed-by: NWenchao Xia <xiawenc@linux.vnet.ibm.com>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

this allows for setting VNC_DIRTY_PIXELS_PER_BIT to different
values than 16 if desired.
Reviewed-by: NWenchao Xia <xiawenc@linux.vnet.ibm.com>
Signed-off-by: NPeter Lieven <pl@kamp.de>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

Signed-off-by: NPeter Lieven <pl@kamp.de>
Reviewed-by: NWenchao Xia <xiawenc@linux.vnet.ibm.com>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

Spotted by Coverity:

876     static int vnc_update_client_sync(VncState *vs, int has_dirty)
877     {

(1) Event freed_arg:    "vnc_update_client(VncState *, int)" frees "vs".  [details]
Also see events:        [deref_arg]

878         int ret = vnc_update_client(vs, has_dirty);

(2) Event deref_arg:    Calling "vnc_jobs_join(VncState *)" dereferences freed pointer "vs". [details]
Also see events:        [freed_arg]

879         vnc_jobs_join(vs);
880         return ret;
881     }

Remove vnc_update_client_sync wrapper, replace it with an additional
argument to vnc_update_client, so we can so the sync properly in
vnc_update_client (i.e. skip it in case of a client disconnect).
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
Reviewed-by: NMarkus Armbruster <armbru@redhat.com>

Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

Some arguments to these functions are booleans - either by declaration,
or by actual usage, but sometimes value of 0 or 1 is passed for a bool,
and sometimes it is declared as int but a bool value, or true/false,
is passed to it instead.  Clean it up a bit.

Cc: liguang <lig.fnst@cn.fujitsu.com>
Signed-off-by: NMichael Tokarev <mjt@tls.msk.ru>

The ledstate should be compared before modifiers updated,
otherwise the ledstate would be the same as current_led_state.
Reported-by: NGerd Hoffmann <kraxel@redhat.com>
Signed-off-by: NLei Li <lilei@linux.vnet.ibm.com>
Reviewed-by: NLaszlo Ersek <lersek@redhat.com>
Message-id: 1368606040-11950-1-git-send-email-lilei@linux.vnet.ibm.com
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

Added TLS support to the VNC QEMU Websockets implementation.
VNC-TLS needs to be enabled for this feature to be used.

The required certificates are specified as in case of VNC-TLS
with the VNC parameter "x509=<path>".

If the server certificate isn't signed by a rooth authority it needs to
be manually imported in the browser because at least in case of Firefox
and Chrome there is no user dialog, the connection just gets canceled.

As a side note VEncrypt over Websocket doesn't work atm because TLS can't
be stacked in the current implementation. (It also didn't work before)
Nevertheless to my knowledge there is no HTML 5 VNC client which supports
it and the Websocket connection can be encrypted with regular TLS now so
it should be fine for most use cases.
Signed-off-by: NTim Hardeck <thardeck@suse.de>
Reviewed-by: NAnthony Liguori <aliguori@us.ibm.com>
Message-id: 1366727581-5772-1-git-send-email-thardeck@suse.de
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

Signed-off-by: NLei Li <lilei@linux.vnet.ibm.com>
Reviewed-by: NAnthony Liguori <aliguori@us.ibm.com>
Message-id: 1366867752-11578-4-git-send-email-lilei@linux.vnet.ibm.com
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

Signed-off-by: NLei Li <lilei@linux.vnet.ibm.com>
Reviewed-by: NAnthony Liguori <aliguori@us.ibm.com>
Message-id: 1366867752-11578-3-git-send-email-lilei@linux.vnet.ibm.com
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

Signed-off-by: NLei Li <lilei@linux.vnet.ibm.com>
Reviewed-by: NAnthony Liguori <aliguori@us.ibm.com>
Message-id: 1366867752-11578-2-git-send-email-lilei@linux.vnet.ibm.com
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

We don't have multiple DisplayStates any more,
so passing it in as argument is not needed.
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

Make gui update rate adaption code in gui_update() actually work.
Sprinkle in a tracepoint so you can see the code at work.  Remove
the update rate adaption code in vnc and make vnc simply use the
generic bits instead.
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

Add QemuConsole parameter to vga_hw_*, so the interface allows to update
non-active consoles (the actual code can't handle this yet, see next
patch).  Passing NULL is allowed and updates the active console, like
the functions do today.

While touching all vga_hw_* calls anyway rename that to the functions to
hardware-neutral graphics_hw_*
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

The fcntl(fd, F_SETFL, O_NONBLOCK) flag is not specific to sockets.
Rename to qemu_set_nonblock() just like qemu_set_cloexec().
Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>
Signed-off-by: NLuiz Capitulino <lcapitulino@redhat.com>

Now that nobody depends on DisplayState in DisplayChangeListener
callbacks any more we can remove the parameter from all callbacks.
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

Rework DisplayStateListener callbacks to not use the DisplayState
any more.
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

Replace the dpy_gfx_resize and dpy_gfx_setdata DisplayChangeListener
callbacks with a dpy_gfx_switch callback which notifies the ui code
when the framebuffer backing storage changes.
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

It's broken by design.  There can be multiple DisplayChangeListener
instances, so they simply can't store state in the (single) DisplayState
struct.  Try 'qemu -display gtk -vnc :0', watch it crash & burn.

With DisplayChangeListenerOps having a more sane interface now we can
simply use the DisplayChangeListener pointer to get access to our
private data instead.
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

Split callbacks into separate Ops struct.  Pass DisplayChangeListener
pointer as first argument to all callbacks.  Uninline a bunch of
display functions and move them from console.h to console.c
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

Some VncState values are not initialized before the Websocket handshake.
If it fails QEMU segfaults during the cleanup. To prevent this behavior
intialization checks are added.
Signed-off-by: NTim Hardeck <thardeck@suse.de>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

This patch adds basic Websocket Protocol version 13 - RFC 6455 - support
to QEMU VNC. Binary encoding support on the client side is mandatory.

Because of the GnuTLS requirement the Websockets implementation is
optional (--enable-vnc-ws).

To activate Websocket support the VNC option "websocket"is used, for
example "-vnc :0,websocket".
The listen port for Websocket connections is (5700 + display) so if
QEMU VNC is started with :0 the Websocket port would be 5700.
As an alternative the Websocket port could be manually specified by
using ",websocket=<port>" instead.

Parts of the implementation base on Anthony Liguori's QEMU Websocket
patch from 2010 and on Joel Martin's LibVNC Websocket implementation.
Signed-off-by: NTim Hardeck <thardeck@suse.de>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

Following Anthony Liguori's Websocket implementation I have added the
buffer_advance function to VNC and replaced all related buffer memmove
operations with it.
Signed-off-by: NTim Hardeck <thardeck@suse.de>
Reviewed-by: NAnthony Liguori <aliguori@us.ibm.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>