qdev/isa: add qdev support to i8042 (aka ps/2 kbd+mouse).

[qemu.git] / vnc.c
diff --git a/vnc.c b/vnc.c

index 1d9c113539944ad5247f8b7e66064d213939d9ed..903dd953d9a434cdc2ab7c4cab485f989d471f3d 100644 (file)
--- a/vnc.c
+++ b/vnc.c
@@ -3,6 +3,7 @@
   *
   * Copyright (C) 2006 Anthony Liguori <[email protected]>
   * Copyright (C) 2006 Fabrice Bellard
   *
   * Copyright (C) 2006 Anthony Liguori <[email protected]>
   * Copyright (C) 2006 Fabrice Bellard
+ * Copyright (C) 2009 Red Hat, Inc
   *
   * Permission is hereby granted, free of charge, to any person obtaining a copy
   * of this software and associated documentation files (the "Software"), to deal
   *
   * Permission is hereby granted, free of charge, to any person obtaining a copy
   * of this software and associated documentation files (the "Software"), to deal
@@ -23,176 +24,190 @@
   * THE SOFTWARE.
   */
  
   * THE SOFTWARE.
   */
  
-#include "qemu-common.h"
-#include "console.h"
+#include "vnc.h"
  #include "sysemu.h"
  #include "qemu_socket.h"
  #include "qemu-timer.h"
  #include "sysemu.h"
  #include "qemu_socket.h"
  #include "qemu-timer.h"
+#include "acl.h"
  
  #define VNC_REFRESH_INTERVAL (1000 / 30)
  
  #include "vnc_keysym.h"
  
  #define VNC_REFRESH_INTERVAL (1000 / 30)
  
  #include "vnc_keysym.h"
-#include "keymaps.c"
  #include "d3des.h"
  
  #include "d3des.h"
  
-#ifdef CONFIG_VNC_TLS
-#include <gnutls/gnutls.h>
-#include <gnutls/x509.h>
-#endif /* CONFIG_VNC_TLS */
-
-// #define _VNC_DEBUG 1
+#define count_bits(c, v) { \
+    for (c = 0; v; v >>= 1) \
+    { \
+        c += v & 1; \
+    } \
+}
  
  
-#ifdef _VNC_DEBUG
-#define VNC_DEBUG(fmt, ...) do { fprintf(stderr, fmt, ## __VA_ARGS__); } while (0)
  
  
-#if CONFIG_VNC_TLS && _VNC_DEBUG >= 2
-/* Very verbose, so only enabled for _VNC_DEBUG >= 2 */
-static void vnc_debug_gnutls_log(int level, const char* str) {
-    VNC_DEBUG("%d %s", level, str);
-}
-#endif /* CONFIG_VNC_TLS && _VNC_DEBUG */
-#else
-#define VNC_DEBUG(fmt, ...) do { } while (0)
-#endif
+static VncDisplay *vnc_display; /* needed for info vnc */
+static DisplayChangeListener *dcl;
  
  
+static char *addr_to_string(const char *format,
+                            struct sockaddr_storage *sa,
+                            socklen_t salen) {
+    char *addr;
+    char host[NI_MAXHOST];
+    char serv[NI_MAXSERV];
+    int err;
+    size_t addrlen;
  
  
-typedef struct Buffer
-{
-    size_t capacity;
-    size_t offset;
-    uint8_t *buffer;
-} Buffer;
+    if ((err = getnameinfo((struct sockaddr *)sa, salen,
+                           host, sizeof(host),
+                           serv, sizeof(serv),
+                           NI_NUMERICHOST | NI_NUMERICSERV)) != 0) {
+        VNC_DEBUG("Cannot resolve address %d: %s\n",
+                  err, gai_strerror(err));
+        return NULL;
+    }
  
  
-typedef struct VncState VncState;
+    /* Enough for the existing format + the 2 vars we're
+     * substituting in. */
+    addrlen = strlen(format) + strlen(host) + strlen(serv);
+    addr = qemu_malloc(addrlen + 1);
+    snprintf(addr, addrlen, format, host, serv);
+    addr[addrlen] = '\0';
  
  
-typedef int VncReadEvent(VncState *vs, uint8_t *data, size_t len);
+    return addr;
+}
  
  
-typedef void VncWritePixels(VncState *vs, void *data, int size);
  
  
-typedef void VncSendHextileTile(VncState *vs,
-                                int x, int y, int w, int h,
-                                void *last_bg,
-                                void *last_fg,
-                                int *has_bg, int *has_fg);
+char *vnc_socket_local_addr(const char *format, int fd) {
+    struct sockaddr_storage sa;
+    socklen_t salen;
  
  
-#define VNC_MAX_WIDTH 2048
-#define VNC_MAX_HEIGHT 2048
-#define VNC_DIRTY_WORDS (VNC_MAX_WIDTH / (16 * 32))
+    salen = sizeof(sa);
+    if (getsockname(fd, (struct sockaddr*)&sa, &salen) < 0)
+        return NULL;
  
  
-#define VNC_AUTH_CHALLENGE_SIZE 16
+    return addr_to_string(format, &sa, salen);
+}
  
  
-enum {
-    VNC_AUTH_INVALID = 0,
-    VNC_AUTH_NONE = 1,
-    VNC_AUTH_VNC = 2,
-    VNC_AUTH_RA2 = 5,
-    VNC_AUTH_RA2NE = 6,
-    VNC_AUTH_TIGHT = 16,
-    VNC_AUTH_ULTRA = 17,
-    VNC_AUTH_TLS = 18,
-    VNC_AUTH_VENCRYPT = 19
-};
+char *vnc_socket_remote_addr(const char *format, int fd) {
+    struct sockaddr_storage sa;
+    socklen_t salen;
  
  
-#ifdef CONFIG_VNC_TLS
-enum {
-    VNC_WIREMODE_CLEAR,
-    VNC_WIREMODE_TLS,
-};
-
-enum {
-    VNC_AUTH_VENCRYPT_PLAIN = 256,
-    VNC_AUTH_VENCRYPT_TLSNONE = 257,
-    VNC_AUTH_VENCRYPT_TLSVNC = 258,
-    VNC_AUTH_VENCRYPT_TLSPLAIN = 259,
-    VNC_AUTH_VENCRYPT_X509NONE = 260,
-    VNC_AUTH_VENCRYPT_X509VNC = 261,
-    VNC_AUTH_VENCRYPT_X509PLAIN = 262,
-};
-
-#define X509_CA_CERT_FILE "ca-cert.pem"
-#define X509_CA_CRL_FILE "ca-crl.pem"
-#define X509_SERVER_KEY_FILE "server-key.pem"
-#define X509_SERVER_CERT_FILE "server-cert.pem"
+    salen = sizeof(sa);
+    if (getpeername(fd, (struct sockaddr*)&sa, &salen) < 0)
+        return NULL;
  
  
-#endif /* CONFIG_VNC_TLS */
+    return addr_to_string(format, &sa, salen);
+}
  
  
-struct VncState
-{
-    QEMUTimer *timer;
-    int lsock;
-    int csock;
-    DisplayState *ds;
-    int need_update;
-    int width;
-    int height;
-    uint32_t dirty_row[VNC_MAX_HEIGHT][VNC_DIRTY_WORDS];
-    char *old_data;
-    int depth; /* internal VNC frame buffer byte per pixel */
-    int has_resize;
-    int has_hextile;
-    int has_pointer_type_change;
-    int has_WMVi;
-    int absolute;
-    int last_x;
-    int last_y;
-
-    int major;
-    int minor;
-
-    char *display;
-    char *password;
-    int auth;
+static const char *vnc_auth_name(VncDisplay *vd) {
+    switch (vd->auth) {
+    case VNC_AUTH_INVALID:
+        return "invalid";
+    case VNC_AUTH_NONE:
+        return "none";
+    case VNC_AUTH_VNC:
+        return "vnc";
+    case VNC_AUTH_RA2:
+        return "ra2";
+    case VNC_AUTH_RA2NE:
+        return "ra2ne";
+    case VNC_AUTH_TIGHT:
+        return "tight";
+    case VNC_AUTH_ULTRA:
+        return "ultra";
+    case VNC_AUTH_TLS:
+        return "tls";
+    case VNC_AUTH_VENCRYPT:
  #ifdef CONFIG_VNC_TLS
  #ifdef CONFIG_VNC_TLS
-    int subauth;
-    int x509verify;
-
-    char *x509cacert;
-    char *x509cacrl;
-    char *x509cert;
-    char *x509key;
+        switch (vd->subauth) {
+        case VNC_AUTH_VENCRYPT_PLAIN:
+            return "vencrypt+plain";
+        case VNC_AUTH_VENCRYPT_TLSNONE:
+            return "vencrypt+tls+none";
+        case VNC_AUTH_VENCRYPT_TLSVNC:
+            return "vencrypt+tls+vnc";
+        case VNC_AUTH_VENCRYPT_TLSPLAIN:
+            return "vencrypt+tls+plain";
+        case VNC_AUTH_VENCRYPT_X509NONE:
+            return "vencrypt+x509+none";
+        case VNC_AUTH_VENCRYPT_X509VNC:
+            return "vencrypt+x509+vnc";
+        case VNC_AUTH_VENCRYPT_X509PLAIN:
+            return "vencrypt+x509+plain";
+        case VNC_AUTH_VENCRYPT_TLSSASL:
+            return "vencrypt+tls+sasl";
+        case VNC_AUTH_VENCRYPT_X509SASL:
+            return "vencrypt+x509+sasl";
+        default:
+            return "vencrypt";
+        }
+#else
+        return "vencrypt";
  #endif
  #endif
-    char challenge[VNC_AUTH_CHALLENGE_SIZE];
+    case VNC_AUTH_SASL:
+        return "sasl";
+    }
+    return "unknown";
+}
+
+static void do_info_vnc_client(Monitor *mon, VncState *client)
+{
+    char *clientAddr =
+        vnc_socket_remote_addr("     address: %s:%s\n",
+                               client->csock);
+    if (!clientAddr)
+        return;
+
+    monitor_printf(mon, "Client:\n");
+    monitor_printf(mon, "%s", clientAddr);
+    free(clientAddr);
  
  #ifdef CONFIG_VNC_TLS
  
  #ifdef CONFIG_VNC_TLS
-    int wiremode;
-    gnutls_session_t tls_session;
+    if (client->tls.session &&
+        client->tls.dname)
+        monitor_printf(mon, "  x509 dname: %s\n", client->tls.dname);
+    else
+        monitor_printf(mon, "  x509 dname: none\n");
+#endif
+#ifdef CONFIG_VNC_SASL
+    if (client->sasl.conn &&
+        client->sasl.username)
+        monitor_printf(mon, "    username: %s\n", client->sasl.username);
+    else
+        monitor_printf(mon, "    username: none\n");
  #endif
  #endif
+}
+
+void do_info_vnc(Monitor *mon)
+{
+    if (vnc_display == NULL || vnc_display->display == NULL) {
+        monitor_printf(mon, "Server: disabled\n");
+    } else {
+        char *serverAddr = vnc_socket_local_addr("     address: %s:%s\n",
+                                                 vnc_display->lsock);
+
+        if (!serverAddr)
+            return;
+
+        monitor_printf(mon, "Server:\n");
+        monitor_printf(mon, "%s", serverAddr);
+        free(serverAddr);
+        monitor_printf(mon, "        auth: %s\n", vnc_auth_name(vnc_display));
  
  
-    Buffer output;
-    Buffer input;
-    kbd_layout_t *kbd_layout;
-    /* current output mode information */
-    VncWritePixels *write_pixels;
-    VncSendHextileTile *send_hextile_tile;
-    int pix_bpp, pix_big_endian;
-    int client_red_shift, client_red_max, server_red_shift, server_red_max;
-    int client_green_shift, client_green_max, server_green_shift, server_green_max;
-    int client_blue_shift, client_blue_max, server_blue_shift, server_blue_max;
-
-    VncReadEvent *read_handler;
-    size_t read_handler_expect;
-    /* input */
-    uint8_t modifiers_state[256];
-};
-
-static VncState *vnc_state; /* needed for info vnc */
-
-void do_info_vnc(void)
-{
-    if (vnc_state == NULL)
-       term_printf("VNC server disabled\n");
-    else {
-       term_printf("VNC server active on: ");
-       term_print_filename(vnc_state->display);
-       term_printf("\n");
-
-       if (vnc_state->csock == -1)
-           term_printf("No client connected\n");
-       else
-           term_printf("Client connected\n");
+        if (vnc_display->clients) {
+            VncState *client = vnc_display->clients;
+            while (client) {
+                do_info_vnc_client(mon, client);
+                client = client->next;
+            }
+        } else {
+            monitor_printf(mon, "Client: none\n");
+        }
      }
  }
  
      }
  }
  
+static inline uint32_t vnc_has_feature(VncState *vs, int feature) {
+    return (vs->features & (1 << feature));
+}
+
  /* TODO
     1) Get the queue working for IO.
     2) there is some weirdness when using the -S option (the screen is grey
  /* TODO
     1) Get the queue working for IO.
     2) there is some weirdness when using the -S option (the screen is grey
@@ -200,16 +215,11 @@ void do_info_vnc(void)
     3) resolutions > 1024
  */
  
     3) resolutions > 1024
  */
  
-static void vnc_write(VncState *vs, const void *data, size_t len);
-static void vnc_write_u32(VncState *vs, uint32_t value);
-static void vnc_write_s32(VncState *vs, int32_t value);
-static void vnc_write_u16(VncState *vs, uint16_t value);
-static void vnc_write_u8(VncState *vs, uint8_t value);
-static void vnc_flush(VncState *vs);
  static void vnc_update_client(void *opaque);
  static void vnc_update_client(void *opaque);
-static void vnc_client_read(void *opaque);
+static void vnc_disconnect_start(VncState *vs);
+static void vnc_disconnect_finish(VncState *vs);
  
  
-static void vnc_colordepth(DisplayState *ds, int depth);
+static void vnc_colordepth(VncState *vs);
  
  static inline void vnc_set_bit(uint32_t *d, int k)
  {
  
  static inline void vnc_set_bit(uint32_t *d, int k)
  {
@@ -252,9 +262,9 @@ static inline int vnc_and_bits(const uint32_t *d1, const uint32_t *d2,
      return 0;
  }
  
      return 0;
  }
  
-static void vnc_dpy_update(DisplayState *ds, int x, int y, int w, int h)
+static void vnc_update(VncState *vs, int x, int y, int w, int h)
  {
  {
-    VncState *vs = ds->opaque;
+    struct VncSurface *s = &vs->guest;
      int i;
  
      h += y;
      int i;
  
      h += y;
@@ -266,18 +276,28 @@ static void vnc_dpy_update(DisplayState *ds, int x, int y, int w, int h)
      w += (x % 16);
      x -= (x % 16);
  
      w += (x % 16);
      x -= (x % 16);
  
-    x = MIN(x, vs->width);
-    y = MIN(y, vs->height);
-    w = MIN(x + w, vs->width) - x;
-    h = MIN(h, vs->height);
+    x = MIN(x, s->ds->width);
+    y = MIN(y, s->ds->height);
+    w = MIN(x + w, s->ds->width) - x;
+    h = MIN(h, s->ds->height);
  
      for (; y < h; y++)
  
      for (; y < h; y++)
-       for (i = 0; i < w; i += 16)
-           vnc_set_bit(vs->dirty_row[y], (x + i) / 16);
+        for (i = 0; i < w; i += 16)
+            vnc_set_bit(s->dirty[y], (x + i) / 16);
+}
+
+static void vnc_dpy_update(DisplayState *ds, int x, int y, int w, int h)
+{
+    VncDisplay *vd = ds->opaque;
+    VncState *vs = vd->clients;
+    while (vs != NULL) {
+        vnc_update(vs, x, y, w, h);
+        vs = vs->next;
+    }
  }
  
  static void vnc_framebuffer_update(VncState *vs, int x, int y, int w, int h,
  }
  
  static void vnc_framebuffer_update(VncState *vs, int x, int y, int w, int h,
-                                  int32_t encoding)
+                                   int32_t encoding)
  {
      vnc_write_u16(vs, x);
      vnc_write_u16(vs, y);
  {
      vnc_write_u16(vs, x);
      vnc_write_u16(vs, y);
@@ -287,41 +307,84 @@ static void vnc_framebuffer_update(VncState *vs, int x, int y, int w, int h,
      vnc_write_s32(vs, encoding);
  }
  
      vnc_write_s32(vs, encoding);
  }
  
-static void vnc_dpy_resize(DisplayState *ds, int w, int h)
+void buffer_reserve(Buffer *buffer, size_t len)
  {
  {
-    int size_changed;
-    VncState *vs = ds->opaque;
+    if ((buffer->capacity - buffer->offset) < len) {
+        buffer->capacity += (len + 1024);
+        buffer->buffer = qemu_realloc(buffer->buffer, buffer->capacity);
+        if (buffer->buffer == NULL) {
+            fprintf(stderr, "vnc: out of memory\n");
+            exit(1);
+        }
+    }
+}
  
  
-    ds->data = qemu_realloc(ds->data, w * h * vs->depth);
-    vs->old_data = qemu_realloc(vs->old_data, w * h * vs->depth);
+int buffer_empty(Buffer *buffer)
+{
+    return buffer->offset == 0;
+}
  
  
-    if (ds->data == NULL || vs->old_data == NULL) {
-       fprintf(stderr, "vnc: memory allocation failed\n");
-       exit(1);
-    }
+uint8_t *buffer_end(Buffer *buffer)
+{
+    return buffer->buffer + buffer->offset;
+}
+
+void buffer_reset(Buffer *buffer)
+{
+        buffer->offset = 0;
+}
+
+void buffer_append(Buffer *buffer, const void *data, size_t len)
+{
+    memcpy(buffer->buffer + buffer->offset, data, len);
+    buffer->offset += len;
+}
+
+static void vnc_resize(VncState *vs)
+{
+    DisplayState *ds = vs->ds;
+    int size_changed;
  
  
-    if (ds->depth != vs->depth * 8) {
-        ds->depth = vs->depth * 8;
+    /* guest surface */
+    if (!vs->guest.ds)
+        vs->guest.ds = qemu_mallocz(sizeof(*vs->guest.ds));
+    if (ds_get_bytes_per_pixel(ds) != vs->guest.ds->pf.bytes_per_pixel)
          console_color_init(ds);
          console_color_init(ds);
-    }
-    size_changed = ds->width != w || ds->height != h;
-    ds->width = w;
-    ds->height = h;
-    ds->linesize = w * vs->depth;
+    vnc_colordepth(vs);
+    size_changed = ds_get_width(ds) != vs->guest.ds->width ||
+                   ds_get_height(ds) != vs->guest.ds->height;
+    *(vs->guest.ds) = *(ds->surface);
      if (size_changed) {
      if (size_changed) {
-        vs->width = ds->width;
-        vs->height = ds->height;
-        if (vs->csock != -1 && vs->has_resize) {
+        if (vs->csock != -1 && vnc_has_feature(vs, VNC_FEATURE_RESIZE)) {
              vnc_write_u8(vs, 0);  /* msg id */
              vnc_write_u8(vs, 0);
              vnc_write_u16(vs, 1); /* number of rects */
              vnc_write_u8(vs, 0);  /* msg id */
              vnc_write_u8(vs, 0);
              vnc_write_u16(vs, 1); /* number of rects */
-            vnc_framebuffer_update(vs, 0, 0, ds->width, ds->height, -223);
+            vnc_framebuffer_update(vs, 0, 0, ds_get_width(ds), ds_get_height(ds),
+                                   VNC_ENCODING_DESKTOPRESIZE);
              vnc_flush(vs);
          }
      }
              vnc_flush(vs);
          }
      }
+    memset(vs->guest.dirty, 0xFF, sizeof(vs->guest.dirty));
+
+    /* server surface */
+    if (!vs->server.ds)
+        vs->server.ds = qemu_mallocz(sizeof(*vs->server.ds));
+    if (vs->server.ds->data)
+        qemu_free(vs->server.ds->data);
+    *(vs->server.ds) = *(ds->surface);
+    vs->server.ds->data = qemu_mallocz(vs->server.ds->linesize *
+                                       vs->server.ds->height);
+    memset(vs->server.dirty, 0xFF, sizeof(vs->guest.dirty));
+}
  
  
-    memset(vs->dirty_row, 0xFF, sizeof(vs->dirty_row));
-    memset(vs->old_data, 42, ds_get_linesize(vs->ds) * ds_get_height(vs->ds));
+static void vnc_dpy_resize(DisplayState *ds)
+{
+    VncDisplay *vd = ds->opaque;
+    VncState *vs = vd->clients;
+    while (vs != NULL) {
+        vnc_resize(vs);
+        vs = vs->next;
+    }
  }
  
  /* fastest code */
  }
  
  /* fastest code */
@@ -335,21 +398,21 @@ static void vnc_convert_pixel(VncState *vs, uint8_t *buf, uint32_t v)
  {
      uint8_t r, g, b;
  
  {
      uint8_t r, g, b;
  
-    r = ((v >> vs->server_red_shift) & vs->server_red_max) * (vs->client_red_max + 1) /
-        (vs->server_red_max + 1);
-    g = ((v >> vs->server_green_shift) & vs->server_green_max) * (vs->client_green_max + 1) /
-        (vs->server_green_max + 1);
-    b = ((v >> vs->server_blue_shift) & vs->server_blue_max) * (vs->client_blue_max + 1) /
-        (vs->server_blue_max + 1);
-    v = (r << vs->client_red_shift) |
-        (g << vs->client_green_shift) |
-        (b << vs->client_blue_shift);
-    switch(vs->pix_bpp) {
+    r = ((((v & vs->server.ds->pf.rmask) >> vs->server.ds->pf.rshift) << vs->clientds.pf.rbits) >>
+        vs->server.ds->pf.rbits);
+    g = ((((v & vs->server.ds->pf.gmask) >> vs->server.ds->pf.gshift) << vs->clientds.pf.gbits) >>
+        vs->server.ds->pf.gbits);
+    b = ((((v & vs->server.ds->pf.bmask) >> vs->server.ds->pf.bshift) << vs->clientds.pf.bbits) >>
+        vs->server.ds->pf.bbits);
+    v = (r << vs->clientds.pf.rshift) |
+        (g << vs->clientds.pf.gshift) |
+        (b << vs->clientds.pf.bshift);
+    switch(vs->clientds.pf.bytes_per_pixel) {
      case 1:
          buf[0] = v;
          break;
      case 2:
      case 1:
          buf[0] = v;
          break;
      case 2:
-        if (vs->pix_big_endian) {
+        if (vs->clientds.flags & QEMU_BIG_ENDIAN_FLAG) {
              buf[0] = v >> 8;
              buf[1] = v;
          } else {
              buf[0] = v >> 8;
              buf[1] = v;
          } else {
@@ -359,7 +422,7 @@ static void vnc_convert_pixel(VncState *vs, uint8_t *buf, uint32_t v)
          break;
      default:
      case 4:
          break;
      default:
      case 4:
-        if (vs->pix_big_endian) {
+        if (vs->clientds.flags & QEMU_BIG_ENDIAN_FLAG) {
              buf[0] = v >> 24;
              buf[1] = v >> 16;
              buf[2] = v >> 8;
              buf[0] = v >> 24;
              buf[1] = v >> 16;
              buf[2] = v >> 8;
@@ -378,29 +441,29 @@ static void vnc_write_pixels_generic(VncState *vs, void *pixels1, int size)
  {
      uint8_t buf[4];
  
  {
      uint8_t buf[4];
  
-    if (vs->depth == 4) {
+    if (vs->server.ds->pf.bytes_per_pixel == 4) {
          uint32_t *pixels = pixels1;
          int n, i;
          n = size >> 2;
          for(i = 0; i < n; i++) {
              vnc_convert_pixel(vs, buf, pixels[i]);
          uint32_t *pixels = pixels1;
          int n, i;
          n = size >> 2;
          for(i = 0; i < n; i++) {
              vnc_convert_pixel(vs, buf, pixels[i]);
-            vnc_write(vs, buf, vs->pix_bpp);
+            vnc_write(vs, buf, vs->clientds.pf.bytes_per_pixel);
          }
          }
-    } else if (vs->depth == 2) {
+    } else if (vs->server.ds->pf.bytes_per_pixel == 2) {
          uint16_t *pixels = pixels1;
          int n, i;
          n = size >> 1;
          for(i = 0; i < n; i++) {
              vnc_convert_pixel(vs, buf, pixels[i]);
          uint16_t *pixels = pixels1;
          int n, i;
          n = size >> 1;
          for(i = 0; i < n; i++) {
              vnc_convert_pixel(vs, buf, pixels[i]);
-            vnc_write(vs, buf, vs->pix_bpp);
+            vnc_write(vs, buf, vs->clientds.pf.bytes_per_pixel);
          }
          }
-    } else if (vs->depth == 1) {
+    } else if (vs->server.ds->pf.bytes_per_pixel == 1) {
          uint8_t *pixels = pixels1;
          int n, i;
          n = size;
          for(i = 0; i < n; i++) {
              vnc_convert_pixel(vs, buf, pixels[i]);
          uint8_t *pixels = pixels1;
          int n, i;
          n = size;
          for(i = 0; i < n; i++) {
              vnc_convert_pixel(vs, buf, pixels[i]);
-            vnc_write(vs, buf, vs->pix_bpp);
+            vnc_write(vs, buf, vs->clientds.pf.bytes_per_pixel);
          }
      } else {
          fprintf(stderr, "vnc_write_pixels_generic: VncState color depth not supported\n");
          }
      } else {
          fprintf(stderr, "vnc_write_pixels_generic: VncState color depth not supported\n");
@@ -412,12 +475,10 @@ static void send_framebuffer_update_raw(VncState *vs, int x, int y, int w, int h
      int i;
      uint8_t *row;
  
      int i;
      uint8_t *row;
  
-    vnc_framebuffer_update(vs, x, y, w, h, 0);
-
-    row = ds_get_data(vs->ds) + y * ds_get_linesize(vs->ds) + x * vs->depth;
+    row = vs->server.ds->data + y * ds_get_linesize(vs->ds) + x * ds_get_bytes_per_pixel(vs->ds);
      for (i = 0; i < h; i++) {
      for (i = 0; i < h; i++) {
-       vs->write_pixels(vs, row, w * vs->depth);
-       row += ds_get_linesize(vs->ds);
+        vs->write_pixels(vs, row, w * ds_get_bytes_per_pixel(vs->ds));
+        row += ds_get_linesize(vs->ds);
      }
  }
  
      }
  }
  
@@ -463,82 +524,200 @@ static void send_framebuffer_update_hextile(VncState *vs, int x, int y, int w, i
      int has_fg, has_bg;
      uint8_t *last_fg, *last_bg;
  
      int has_fg, has_bg;
      uint8_t *last_fg, *last_bg;
  
-    vnc_framebuffer_update(vs, x, y, w, h, 5);
-
-    last_fg = (uint8_t *) malloc(vs->depth);
-    last_bg = (uint8_t *) malloc(vs->depth);
+    last_fg = (uint8_t *) qemu_malloc(vs->server.ds->pf.bytes_per_pixel);
+    last_bg = (uint8_t *) qemu_malloc(vs->server.ds->pf.bytes_per_pixel);
      has_fg = has_bg = 0;
      for (j = y; j < (y + h); j += 16) {
      has_fg = has_bg = 0;
      for (j = y; j < (y + h); j += 16) {
-       for (i = x; i < (x + w); i += 16) {
+        for (i = x; i < (x + w); i += 16) {
              vs->send_hextile_tile(vs, i, j,
                                    MIN(16, x + w - i), MIN(16, y + h - j),
                                    last_bg, last_fg, &has_bg, &has_fg);
              vs->send_hextile_tile(vs, i, j,
                                    MIN(16, x + w - i), MIN(16, y + h - j),
                                    last_bg, last_fg, &has_bg, &has_fg);
-       }
+        }
      }
      free(last_fg);
      free(last_bg);
  
  }
  
      }
      free(last_fg);
      free(last_bg);
  
  }
  
-static void send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
+static void vnc_zlib_init(VncState *vs)
  {
  {
-       if (vs->has_hextile)
-           send_framebuffer_update_hextile(vs, x, y, w, h);
-       else
-           send_framebuffer_update_raw(vs, x, y, w, h);
+    int i;
+    for (i=0; i<(sizeof(vs->zlib_stream) / sizeof(z_stream)); i++)
+        vs->zlib_stream[i].opaque = NULL;
  }
  
  }
  
-static void vnc_copy(DisplayState *ds, int src_x, int src_y, int dst_x, int dst_y, int w, int h)
+static void vnc_zlib_start(VncState *vs)
  {
  {
-    int src, dst;
-    uint8_t *src_row;
-    uint8_t *dst_row;
-    char *old_row;
-    int y = 0;
-    int pitch = ds_get_linesize(ds);
-    VncState *vs = ds->opaque;
+    buffer_reset(&vs->zlib);
  
  
-    vnc_update_client(vs);
+    // make the output buffer be the zlib buffer, so we can compress it later
+    vs->zlib_tmp = vs->output;
+    vs->output = vs->zlib;
+}
  
  
-    if (dst_y > src_y) {
-       y = h - 1;
-       pitch = -pitch;
+static int vnc_zlib_stop(VncState *vs, int stream_id)
+{
+    z_streamp zstream = &vs->zlib_stream[stream_id];
+    int previous_out;
+
+    // switch back to normal output/zlib buffers
+    vs->zlib = vs->output;
+    vs->output = vs->zlib_tmp;
+
+    // compress the zlib buffer
+
+    // initialize the stream
+    // XXX need one stream per session
+    if (zstream->opaque != vs) {
+        int err;
+
+        VNC_DEBUG("VNC: initializing zlib stream %d\n", stream_id);
+        VNC_DEBUG("VNC: opaque = %p | vs = %p\n", zstream->opaque, vs);
+        zstream->zalloc = Z_NULL;
+        zstream->zfree = Z_NULL;
+
+        err = deflateInit2(zstream, vs->tight_compression, Z_DEFLATED, MAX_WBITS,
+                           MAX_MEM_LEVEL, Z_DEFAULT_STRATEGY);
+
+        if (err != Z_OK) {
+            fprintf(stderr, "VNC: error initializing zlib\n");
+            return -1;
+        }
+
+        zstream->opaque = vs;
      }
  
      }
  
-    src = (ds_get_linesize(ds) * (src_y + y) + vs->depth * src_x);
-    dst = (ds_get_linesize(ds) * (dst_y + y) + vs->depth * dst_x);
+    // XXX what to do if tight_compression changed in between?
  
  
-    src_row = ds_get_data(ds) + src;
-    dst_row = ds_get_data(ds) + dst;
-    old_row = vs->old_data + dst;
+    // reserve memory in output buffer
+    buffer_reserve(&vs->output, vs->zlib.offset + 64);
  
  
-    for (y = 0; y < h; y++) {
-       memmove(old_row, src_row, w * vs->depth);
-       memmove(dst_row, src_row, w * vs->depth);
-       src_row += pitch;
-       dst_row += pitch;
-       old_row += pitch;
+    // set pointers
+    zstream->next_in = vs->zlib.buffer;
+    zstream->avail_in = vs->zlib.offset;
+    zstream->next_out = vs->output.buffer + vs->output.offset;
+    zstream->avail_out = vs->output.capacity - vs->output.offset;
+    zstream->data_type = Z_BINARY;
+    previous_out = zstream->total_out;
+
+    // start encoding
+    if (deflate(zstream, Z_SYNC_FLUSH) != Z_OK) {
+        fprintf(stderr, "VNC: error during zlib compression\n");
+        return -1;
+    }
+
+    vs->output.offset = vs->output.capacity - zstream->avail_out;
+    return zstream->total_out - previous_out;
+}
+
+static void send_framebuffer_update_zlib(VncState *vs, int x, int y, int w, int h)
+{
+    int old_offset, new_offset, bytes_written;
+
+    vnc_framebuffer_update(vs, x, y, w, h, VNC_ENCODING_ZLIB);
+
+    // remember where we put in the follow-up size
+    old_offset = vs->output.offset;
+    vnc_write_s32(vs, 0);
+
+    // compress the stream
+    vnc_zlib_start(vs);
+    send_framebuffer_update_raw(vs, x, y, w, h);
+    bytes_written = vnc_zlib_stop(vs, 0);
+
+    if (bytes_written == -1)
+        return;
+
+    // hack in the size
+    new_offset = vs->output.offset;
+    vs->output.offset = old_offset;
+    vnc_write_u32(vs, bytes_written);
+    vs->output.offset = new_offset;
+}
+
+static void send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
+{
+    switch(vs->vnc_encoding) {
+        case VNC_ENCODING_ZLIB:
+            send_framebuffer_update_zlib(vs, x, y, w, h);
+            break;
+        case VNC_ENCODING_HEXTILE:
+            vnc_framebuffer_update(vs, x, y, w, h, VNC_ENCODING_HEXTILE);
+            send_framebuffer_update_hextile(vs, x, y, w, h);
+            break;
+        default:
+            vnc_framebuffer_update(vs, x, y, w, h, VNC_ENCODING_RAW);
+            send_framebuffer_update_raw(vs, x, y, w, h);
+            break;
      }
      }
+}
+
+static void vnc_copy(VncState *vs, int src_x, int src_y, int dst_x, int dst_y, int w, int h)
+{
+    uint8_t *src_row;
+    uint8_t *dst_row;
+    int y,pitch,depth;
  
  
+    /* send bitblit op to the vnc client */
      vnc_write_u8(vs, 0);  /* msg id */
      vnc_write_u8(vs, 0);
      vnc_write_u16(vs, 1); /* number of rects */
      vnc_write_u8(vs, 0);  /* msg id */
      vnc_write_u8(vs, 0);
      vnc_write_u16(vs, 1); /* number of rects */
-    vnc_framebuffer_update(vs, dst_x, dst_y, w, h, 1);
+    vnc_framebuffer_update(vs, dst_x, dst_y, w, h, VNC_ENCODING_COPYRECT);
      vnc_write_u16(vs, src_x);
      vnc_write_u16(vs, src_y);
      vnc_flush(vs);
      vnc_write_u16(vs, src_x);
      vnc_write_u16(vs, src_y);
      vnc_flush(vs);
+
+    /* do bitblit op on the local surface too */
+    pitch = ds_get_linesize(vs->ds);
+    depth = ds_get_bytes_per_pixel(vs->ds);
+    src_row = vs->server.ds->data + pitch * src_y + depth * src_x;
+    dst_row = vs->server.ds->data + pitch * dst_y + depth * dst_x;
+    if (dst_y > src_y) {
+        /* copy backwards */
+        src_row += pitch * (h-1);
+        dst_row += pitch * (h-1);
+        pitch = -pitch;
+    }
+    for (y = 0; y < h; y++) {
+        memmove(dst_row, src_row, w * depth);
+        src_row += pitch;
+        dst_row += pitch;
+    }
+}
+
+static void vnc_dpy_copy(DisplayState *ds, int src_x, int src_y, int dst_x, int dst_y, int w, int h)
+{
+    VncDisplay *vd = ds->opaque;
+    VncState *vs, *vn;
+
+    for (vs = vd->clients; vs != NULL; vs = vn) {
+        vn = vs->next;
+        if (vnc_has_feature(vs, VNC_FEATURE_COPYRECT)) {
+            vs->force_update = 1;
+            vnc_update_client(vs);
+            /* vs might be free()ed here */
+        }
+    }
+
+    for (vs = vd->clients; vs != NULL; vs = vs->next) {
+        if (vnc_has_feature(vs, VNC_FEATURE_COPYRECT))
+            vnc_copy(vs, src_x, src_y, dst_x, dst_y, w, h);
+        else /* TODO */
+            vnc_update(vs, dst_x, dst_y, w, h);
+    }
  }
  
  }
  
-static int find_dirty_height(VncState *vs, int y, int last_x, int x)
+static int find_and_clear_dirty_height(struct VncSurface *s,
+                                       int y, int last_x, int x)
  {
      int h;
  
  {
      int h;
  
-    for (h = 1; h < (vs->height - y); h++) {
-       int tmp_x;
-       if (!vnc_get_bit(vs->dirty_row[y + h], last_x))
-           break;
-       for (tmp_x = last_x; tmp_x < x; tmp_x++)
-           vnc_clear_bit(vs->dirty_row[y + h], tmp_x);
+    for (h = 1; h < (s->ds->height - y); h++) {
+        int tmp_x;
+        if (!vnc_get_bit(s->dirty[y + h], last_x))
+            break;
+        for (tmp_x = last_x; tmp_x < x; tmp_x++)
+            vnc_clear_bit(s->dirty[y + h], tmp_x);
      }
  
      return h;
      }
  
      return h;
@@ -547,141 +726,224 @@ static int find_dirty_height(VncState *vs, int y, int last_x, int x)
  static void vnc_update_client(void *opaque)
  {
      VncState *vs = opaque;
  static void vnc_update_client(void *opaque)
  {
      VncState *vs = opaque;
-
      if (vs->need_update && vs->csock != -1) {
      if (vs->need_update && vs->csock != -1) {
-       int y;
-       uint8_t *row;
-       char *old_row;
-       uint32_t width_mask[VNC_DIRTY_WORDS];
-       int n_rectangles;
-       int saved_offset;
-       int has_dirty = 0;
+        int y;
+        uint8_t *guest_row;
+        uint8_t *server_row;
+        int cmp_bytes;
+        uint32_t width_mask[VNC_DIRTY_WORDS];
+        int n_rectangles;
+        int saved_offset;
+        int has_dirty = 0;
+
+        if (vs->output.offset && !vs->audio_cap && !vs->force_update) {
+            /* kernel send buffers are full -> drop frames to throttle */
+            qemu_mod_timer(vs->timer, qemu_get_clock(rt_clock) + VNC_REFRESH_INTERVAL);
+            return;
+        }
  
          vga_hw_update();
  
  
          vga_hw_update();
  
-        vnc_set_bits(width_mask, (vs->width / 16), VNC_DIRTY_WORDS);
-
-       /* Walk through the dirty map and eliminate tiles that
-          really aren't dirty */
-       row = ds_get_data(vs->ds);
-       old_row = vs->old_data;
-
-       for (y = 0; y < vs->height; y++) {
-           if (vnc_and_bits(vs->dirty_row[y], width_mask, VNC_DIRTY_WORDS)) {
-               int x;
-               uint8_t *ptr;
-               char *old_ptr;
-
-               ptr = row;
-               old_ptr = (char*)old_row;
-
-               for (x = 0; x < ds_get_width(vs->ds); x += 16) {
-                   if (memcmp(old_ptr, ptr, 16 * vs->depth) == 0) {
-                       vnc_clear_bit(vs->dirty_row[y], (x / 16));
-                   } else {
-                       has_dirty = 1;
-                       memcpy(old_ptr, ptr, 16 * vs->depth);
-                   }
-
-                   ptr += 16 * vs->depth;
-                   old_ptr += 16 * vs->depth;
-               }
-           }
-
-           row += ds_get_linesize(vs->ds);
-           old_row += ds_get_linesize(vs->ds);
-       }
-
-       if (!has_dirty) {
-           qemu_mod_timer(vs->timer, qemu_get_clock(rt_clock) + VNC_REFRESH_INTERVAL);
-           return;
-       }
-
-       /* Count rectangles */
-       n_rectangles = 0;
-       vnc_write_u8(vs, 0);  /* msg id */
-       vnc_write_u8(vs, 0);
-       saved_offset = vs->output.offset;
-       vnc_write_u16(vs, 0);
-
-       for (y = 0; y < vs->height; y++) {
-           int x;
-           int last_x = -1;
-           for (x = 0; x < vs->width / 16; x++) {
-               if (vnc_get_bit(vs->dirty_row[y], x)) {
-                   if (last_x == -1) {
-                       last_x = x;
-                   }
-                   vnc_clear_bit(vs->dirty_row[y], x);
-               } else {
-                   if (last_x != -1) {
-                       int h = find_dirty_height(vs, y, last_x, x);
-                       send_framebuffer_update(vs, last_x * 16, y, (x - last_x) * 16, h);
-                       n_rectangles++;
-                   }
-                   last_x = -1;
-               }
-           }
-           if (last_x != -1) {
-               int h = find_dirty_height(vs, y, last_x, x);
-               send_framebuffer_update(vs, last_x * 16, y, (x - last_x) * 16, h);
-               n_rectangles++;
-           }
-       }
-       vs->output.buffer[saved_offset] = (n_rectangles >> 8) & 0xFF;
-       vs->output.buffer[saved_offset + 1] = n_rectangles & 0xFF;
-       vnc_flush(vs);
+        /*
+         * Walk through the guest dirty map.
+         * Check and copy modified bits from guest to server surface.
+         * Update server dirty map.
+         */
+        vnc_set_bits(width_mask, (ds_get_width(vs->ds) / 16), VNC_DIRTY_WORDS);
+        cmp_bytes = 16 * ds_get_bytes_per_pixel(vs->ds);
+        guest_row  = vs->guest.ds->data;
+        server_row = vs->server.ds->data;
+        for (y = 0; y < vs->guest.ds->height; y++) {
+            if (vnc_and_bits(vs->guest.dirty[y], width_mask, VNC_DIRTY_WORDS)) {
+                int x;
+                uint8_t *guest_ptr;
+                uint8_t *server_ptr;
+
+                guest_ptr  = guest_row;
+                server_ptr = server_row;
+
+                for (x = 0; x < vs->guest.ds->width;
+                     x += 16, guest_ptr += cmp_bytes, server_ptr += cmp_bytes) {
+                    if (!vnc_get_bit(vs->guest.dirty[y], (x / 16)))
+                        continue;
+                    vnc_clear_bit(vs->guest.dirty[y], (x / 16));
+                    if (memcmp(server_ptr, guest_ptr, cmp_bytes) == 0)
+                        continue;
+                    memcpy(server_ptr, guest_ptr, cmp_bytes);
+                    vnc_set_bit(vs->server.dirty[y], (x / 16));
+                    has_dirty++;
+                }
+            }
+            guest_row  += ds_get_linesize(vs->ds);
+            server_row += ds_get_linesize(vs->ds);
+        }
+
+        if (!has_dirty && !vs->audio_cap && !vs->force_update) {
+            qemu_mod_timer(vs->timer, qemu_get_clock(rt_clock) + VNC_REFRESH_INTERVAL);
+            return;
+        }
+
+        /*
+         * Send screen updates to the vnc client using the server
+         * surface and server dirty map.  guest surface updates
+         * happening in parallel don't disturb us, the next pass will
+         * send them to the client.
+         */
+        n_rectangles = 0;
+        vnc_write_u8(vs, 0);  /* msg id */
+        vnc_write_u8(vs, 0);
+        saved_offset = vs->output.offset;
+        vnc_write_u16(vs, 0);
+
+        for (y = 0; y < vs->server.ds->height; y++) {
+            int x;
+            int last_x = -1;
+            for (x = 0; x < vs->server.ds->width / 16; x++) {
+                if (vnc_get_bit(vs->server.dirty[y], x)) {
+                    if (last_x == -1) {
+                        last_x = x;
+                    }
+                    vnc_clear_bit(vs->server.dirty[y], x);
+                } else {
+                    if (last_x != -1) {
+                        int h = find_and_clear_dirty_height(&vs->server, y, last_x, x);
+                        send_framebuffer_update(vs, last_x * 16, y, (x - last_x) * 16, h);
+                        n_rectangles++;
+                    }
+                    last_x = -1;
+                }
+            }
+            if (last_x != -1) {
+                int h = find_and_clear_dirty_height(&vs->server, y, last_x, x);
+                send_framebuffer_update(vs, last_x * 16, y, (x - last_x) * 16, h);
+                n_rectangles++;
+            }
+        }
+        vs->output.buffer[saved_offset] = (n_rectangles >> 8) & 0xFF;
+        vs->output.buffer[saved_offset + 1] = n_rectangles & 0xFF;
+        vnc_flush(vs);
+        vs->force_update = 0;
  
      }
  
      if (vs->csock != -1) {
          qemu_mod_timer(vs->timer, qemu_get_clock(rt_clock) + VNC_REFRESH_INTERVAL);
  
      }
  
      if (vs->csock != -1) {
          qemu_mod_timer(vs->timer, qemu_get_clock(rt_clock) + VNC_REFRESH_INTERVAL);
+    } else {
+        vnc_disconnect_finish(vs);
      }
  
  }
  
      }
  
  }
  
-static int vnc_listen_poll(void *opaque)
+/* audio */
+static void audio_capture_notify(void *opaque, audcnotification_e cmd)
  {
      VncState *vs = opaque;
  {
      VncState *vs = opaque;
-    if (vs->csock == -1)
-       return 1;
-    return 0;
+
+    switch (cmd) {
+    case AUD_CNOTIFY_DISABLE:
+        vnc_write_u8(vs, 255);
+        vnc_write_u8(vs, 1);
+        vnc_write_u16(vs, 0);
+        vnc_flush(vs);
+        break;
+
+    case AUD_CNOTIFY_ENABLE:
+        vnc_write_u8(vs, 255);
+        vnc_write_u8(vs, 1);
+        vnc_write_u16(vs, 1);
+        vnc_flush(vs);
+        break;
+    }
  }
  
  }
  
-static void buffer_reserve(Buffer *buffer, size_t len)
+static void audio_capture_destroy(void *opaque)
  {
  {
-    if ((buffer->capacity - buffer->offset) < len) {
-       buffer->capacity += (len + 1024);
-       buffer->buffer = qemu_realloc(buffer->buffer, buffer->capacity);
-       if (buffer->buffer == NULL) {
-           fprintf(stderr, "vnc: out of memory\n");
-           exit(1);
-       }
-    }
  }
  
  }
  
-static int buffer_empty(Buffer *buffer)
+static void audio_capture(void *opaque, void *buf, int size)
  {
  {
-    return buffer->offset == 0;
+    VncState *vs = opaque;
+
+    vnc_write_u8(vs, 255);
+    vnc_write_u8(vs, 1);
+    vnc_write_u16(vs, 2);
+    vnc_write_u32(vs, size);
+    vnc_write(vs, buf, size);
+    vnc_flush(vs);
  }
  
  }
  
-static uint8_t *buffer_end(Buffer *buffer)
+static void audio_add(VncState *vs)
  {
  {
-    return buffer->buffer + buffer->offset;
+    Monitor *mon = cur_mon;
+    struct audio_capture_ops ops;
+
+    if (vs->audio_cap) {
+        monitor_printf(mon, "audio already running\n");
+        return;
+    }
+
+    ops.notify = audio_capture_notify;
+    ops.destroy = audio_capture_destroy;
+    ops.capture = audio_capture;
+
+    vs->audio_cap = AUD_add_capture(&vs->as, &ops, vs);
+    if (!vs->audio_cap) {
+        monitor_printf(mon, "Failed to add audio capture\n");
+    }
  }
  
  }
  
-static void buffer_reset(Buffer *buffer)
+static void audio_del(VncState *vs)
  {
  {
-       buffer->offset = 0;
+    if (vs->audio_cap) {
+        AUD_del_capture(vs->audio_cap, vs);
+        vs->audio_cap = NULL;
+    }
  }
  
  }
  
-static void buffer_append(Buffer *buffer, const void *data, size_t len)
+static void vnc_disconnect_start(VncState *vs)
  {
  {
-    memcpy(buffer->buffer + buffer->offset, data, len);
-    buffer->offset += len;
+    if (vs->csock == -1)
+        return;
+    qemu_set_fd_handler2(vs->csock, NULL, NULL, NULL, NULL);
+    closesocket(vs->csock);
+    vs->csock = -1;
+}
+
+static void vnc_disconnect_finish(VncState *vs)
+{
+    qemu_del_timer(vs->timer);
+    qemu_free_timer(vs->timer);
+    if (vs->input.buffer) qemu_free(vs->input.buffer);
+    if (vs->output.buffer) qemu_free(vs->output.buffer);
+#ifdef CONFIG_VNC_TLS
+    vnc_tls_client_cleanup(vs);
+#endif /* CONFIG_VNC_TLS */
+#ifdef CONFIG_VNC_SASL
+    vnc_sasl_client_cleanup(vs);
+#endif /* CONFIG_VNC_SASL */
+    audio_del(vs);
+
+    VncState *p, *parent = NULL;
+    for (p = vs->vd->clients; p != NULL; p = p->next) {
+        if (p == vs) {
+            if (parent)
+                parent->next = p->next;
+            else
+                vs->vd->clients = p->next;
+            break;
+        }
+        parent = p;
+    }
+    if (!vs->vd->clients)
+        dcl->idle = 1;
+
+    qemu_free(vs->server.ds->data);
+    qemu_free(vs->server.ds);
+    qemu_free(vs->guest.ds);
+    qemu_free(vs);
  }
  
  }
  
-static int vnc_client_io_error(VncState *vs, int ret, int last_errno)
+int vnc_client_io_error(VncState *vs, int ret, int last_errno)
  {
      if (ret == 0 || ret == -1) {
          if (ret == -1) {
  {
      if (ret == 0 || ret == -1) {
          if (ret == -1) {
@@ -697,127 +959,244 @@ static int vnc_client_io_error(VncState *vs, int ret, int last_errno)
              }
          }
  
              }
          }
  
-       VNC_DEBUG("Closing down client sock %d %d\n", ret, ret < 0 ? last_errno : 0);
-       qemu_set_fd_handler2(vs->csock, NULL, NULL, NULL, NULL);
-       closesocket(vs->csock);
-       vs->csock = -1;
-       vs->ds->idle = 1;
-       buffer_reset(&vs->input);
-       buffer_reset(&vs->output);
-       vs->need_update = 0;
-#ifdef CONFIG_VNC_TLS
-       if (vs->tls_session) {
-           gnutls_deinit(vs->tls_session);
-           vs->tls_session = NULL;
-       }
-       vs->wiremode = VNC_WIREMODE_CLEAR;
-#endif /* CONFIG_VNC_TLS */
-       return 0;
+        VNC_DEBUG("Closing down client sock: ret %d, errno %d\n",
+                  ret, ret < 0 ? last_errno : 0);
+        vnc_disconnect_start(vs);
+
+        return 0;
      }
      return ret;
  }
  
      }
      return ret;
  }
  
-static void vnc_client_error(VncState *vs)
+
+void vnc_client_error(VncState *vs)
  {
  {
-    vnc_client_io_error(vs, -1, EINVAL);
+    VNC_DEBUG("Closing down client sock: protocol error\n");
+    vnc_disconnect_start(vs);
  }
  
  }
  
-static void vnc_client_write(void *opaque)
+
+/*
+ * Called to write a chunk of data to the client socket. The data may
+ * be the raw data, or may have already been encoded by SASL.
+ * The data will be written either straight onto the socket, or
+ * written via the GNUTLS wrappers, if TLS/SSL encryption is enabled
+ *
+ * NB, it is theoretically possible to have 2 layers of encryption,
+ * both SASL, and this TLS layer. It is highly unlikely in practice
+ * though, since SASL encryption will typically be a no-op if TLS
+ * is active
+ *
+ * Returns the number of bytes written, which may be less than
+ * the requested 'datalen' if the socket would block. Returns
+ * -1 on error, and disconnects the client socket.
+ */
+long vnc_client_write_buf(VncState *vs, const uint8_t *data, size_t datalen)
  {
      long ret;
  {
      long ret;
-    VncState *vs = opaque;
-
  #ifdef CONFIG_VNC_TLS
  #ifdef CONFIG_VNC_TLS
-    if (vs->tls_session) {
-       ret = gnutls_write(vs->tls_session, vs->output.buffer, vs->output.offset);
-       if (ret < 0) {
-           if (ret == GNUTLS_E_AGAIN)
-               errno = EAGAIN;
-           else
-               errno = EIO;
-           ret = -1;
-       }
+    if (vs->tls.session) {
+        ret = gnutls_write(vs->tls.session, data, datalen);
+        if (ret < 0) {
+            if (ret == GNUTLS_E_AGAIN)
+                errno = EAGAIN;
+            else
+                errno = EIO;
+            ret = -1;
+        }
      } else
  #endif /* CONFIG_VNC_TLS */
      } else
  #endif /* CONFIG_VNC_TLS */
-       ret = send(vs->csock, vs->output.buffer, vs->output.offset, 0);
-    ret = vnc_client_io_error(vs, ret, socket_error());
+        ret = send(vs->csock, (const void *)data, datalen, 0);
+    VNC_DEBUG("Wrote wire %p %zd -> %ld\n", data, datalen, ret);
+    return vnc_client_io_error(vs, ret, socket_error());
+}
+
+
+/*
+ * Called to write buffered data to the client socket, when not
+ * using any SASL SSF encryption layers. Will write as much data
+ * as possible without blocking. If all buffered data is written,
+ * will switch the FD poll() handler back to read monitoring.
+ *
+ * Returns the number of bytes written, which may be less than
+ * the buffered output data if the socket would block. Returns
+ * -1 on error, and disconnects the client socket.
+ */
+static long vnc_client_write_plain(VncState *vs)
+{
+    long ret;
+
+#ifdef CONFIG_VNC_SASL
+    VNC_DEBUG("Write Plain: Pending output %p size %zd offset %zd. Wait SSF %d\n",
+              vs->output.buffer, vs->output.capacity, vs->output.offset,
+              vs->sasl.waitWriteSSF);
+
+    if (vs->sasl.conn &&
+        vs->sasl.runSSF &&
+        vs->sasl.waitWriteSSF) {
+        ret = vnc_client_write_buf(vs, vs->output.buffer, vs->sasl.waitWriteSSF);
+        if (ret)
+            vs->sasl.waitWriteSSF -= ret;
+    } else
+#endif /* CONFIG_VNC_SASL */
+        ret = vnc_client_write_buf(vs, vs->output.buffer, vs->output.offset);
      if (!ret)
      if (!ret)
-       return;
+        return 0;
  
      memmove(vs->output.buffer, vs->output.buffer + ret, (vs->output.offset - ret));
      vs->output.offset -= ret;
  
      if (vs->output.offset == 0) {
  
      memmove(vs->output.buffer, vs->output.buffer + ret, (vs->output.offset - ret));
      vs->output.offset -= ret;
  
      if (vs->output.offset == 0) {
-       qemu_set_fd_handler2(vs->csock, NULL, vnc_client_read, NULL, vs);
+        qemu_set_fd_handler2(vs->csock, NULL, vnc_client_read, NULL, vs);
      }
      }
+
+    return ret;
+}
+
+
+/*
+ * First function called whenever there is data to be written to
+ * the client socket. Will delegate actual work according to whether
+ * SASL SSF layers are enabled (thus requiring encryption calls)
+ */
+void vnc_client_write(void *opaque)
+{
+    long ret;
+    VncState *vs = opaque;
+
+#ifdef CONFIG_VNC_SASL
+    if (vs->sasl.conn &&
+        vs->sasl.runSSF &&
+        !vs->sasl.waitWriteSSF)
+        ret = vnc_client_write_sasl(vs);
+    else
+#endif /* CONFIG_VNC_SASL */
+        ret = vnc_client_write_plain(vs);
  }
  
  }
  
-static void vnc_read_when(VncState *vs, VncReadEvent *func, size_t expecting)
+void vnc_read_when(VncState *vs, VncReadEvent *func, size_t expecting)
  {
      vs->read_handler = func;
      vs->read_handler_expect = expecting;
  }
  
  {
      vs->read_handler = func;
      vs->read_handler_expect = expecting;
  }
  
-static void vnc_client_read(void *opaque)
+
+/*
+ * Called to read a chunk of data from the client socket. The data may
+ * be the raw data, or may need to be further decoded by SASL.
+ * The data will be read either straight from to the socket, or
+ * read via the GNUTLS wrappers, if TLS/SSL encryption is enabled
+ *
+ * NB, it is theoretically possible to have 2 layers of encryption,
+ * both SASL, and this TLS layer. It is highly unlikely in practice
+ * though, since SASL encryption will typically be a no-op if TLS
+ * is active
+ *
+ * Returns the number of bytes read, which may be less than
+ * the requested 'datalen' if the socket would block. Returns
+ * -1 on error, and disconnects the client socket.
+ */
+long vnc_client_read_buf(VncState *vs, uint8_t *data, size_t datalen)
  {
  {
-    VncState *vs = opaque;
      long ret;
      long ret;
-
-    buffer_reserve(&vs->input, 4096);
-
  #ifdef CONFIG_VNC_TLS
  #ifdef CONFIG_VNC_TLS
-    if (vs->tls_session) {
-       ret = gnutls_read(vs->tls_session, buffer_end(&vs->input), 4096);
-       if (ret < 0) {
-           if (ret == GNUTLS_E_AGAIN)
-               errno = EAGAIN;
-           else
-               errno = EIO;
-           ret = -1;
-       }
+    if (vs->tls.session) {
+        ret = gnutls_read(vs->tls.session, data, datalen);
+        if (ret < 0) {
+            if (ret == GNUTLS_E_AGAIN)
+                errno = EAGAIN;
+            else
+                errno = EIO;
+            ret = -1;
+        }
      } else
  #endif /* CONFIG_VNC_TLS */
      } else
  #endif /* CONFIG_VNC_TLS */
-       ret = recv(vs->csock, buffer_end(&vs->input), 4096, 0);
-    ret = vnc_client_io_error(vs, ret, socket_error());
-    if (!ret)
-       return;
+        ret = recv(vs->csock, (void *)data, datalen, 0);
+    VNC_DEBUG("Read wire %p %zd -> %ld\n", data, datalen, ret);
+    return vnc_client_io_error(vs, ret, socket_error());
+}
  
  
-    vs->input.offset += ret;
  
  
-    while (vs->read_handler && vs->input.offset >= vs->read_handler_expect) {
-       size_t len = vs->read_handler_expect;
-       int ret;
-
-       ret = vs->read_handler(vs, vs->input.buffer, len);
-       if (vs->csock == -1)
-           return;
-
-       if (!ret) {
-           memmove(vs->input.buffer, vs->input.buffer + len, (vs->input.offset - len));
-           vs->input.offset -= len;
-       } else {
-           vs->read_handler_expect = ret;
-       }
-    }
+/*
+ * Called to read data from the client socket to the input buffer,
+ * when not using any SASL SSF encryption layers. Will read as much
+ * data as possible without blocking.
+ *
+ * Returns the number of bytes read. Returns -1 on error, and
+ * disconnects the client socket.
+ */
+static long vnc_client_read_plain(VncState *vs)
+{
+    int ret;
+    VNC_DEBUG("Read plain %p size %zd offset %zd\n",
+              vs->input.buffer, vs->input.capacity, vs->input.offset);
+    buffer_reserve(&vs->input, 4096);
+    ret = vnc_client_read_buf(vs, buffer_end(&vs->input), 4096);
+    if (!ret)
+        return 0;
+    vs->input.offset += ret;
+    return ret;
  }
  
  }
  
-static void vnc_write(VncState *vs, const void *data, size_t len)
+
+/*
+ * First function called whenever there is more data to be read from
+ * the client socket. Will delegate actual work according to whether
+ * SASL SSF layers are enabled (thus requiring decryption calls)
+ */
+void vnc_client_read(void *opaque)
  {
  {
-    buffer_reserve(&vs->output, len);
+    VncState *vs = opaque;
+    long ret;
  
  
-    if (buffer_empty(&vs->output)) {
-       qemu_set_fd_handler2(vs->csock, NULL, vnc_client_read, vnc_client_write, vs);
-    }
+#ifdef CONFIG_VNC_SASL
+    if (vs->sasl.conn && vs->sasl.runSSF)
+        ret = vnc_client_read_sasl(vs);
+    else
+#endif /* CONFIG_VNC_SASL */
+        ret = vnc_client_read_plain(vs);
+    if (!ret) {
+        if (vs->csock == -1)
+            vnc_disconnect_finish(vs);
+        return;
+    }
+
+    while (vs->read_handler && vs->input.offset >= vs->read_handler_expect) {
+        size_t len = vs->read_handler_expect;
+        int ret;
+
+        ret = vs->read_handler(vs, vs->input.buffer, len);
+        if (vs->csock == -1) {
+            vnc_disconnect_finish(vs);
+            return;
+        }
+
+        if (!ret) {
+            memmove(vs->input.buffer, vs->input.buffer + len, (vs->input.offset - len));
+            vs->input.offset -= len;
+        } else {
+            vs->read_handler_expect = ret;
+        }
+    }
+}
+
+void vnc_write(VncState *vs, const void *data, size_t len)
+{
+    buffer_reserve(&vs->output, len);
+
+    if (vs->csock != -1 && buffer_empty(&vs->output)) {
+        qemu_set_fd_handler2(vs->csock, NULL, vnc_client_read, vnc_client_write, vs);
+    }
  
      buffer_append(&vs->output, data, len);
  }
  
  
      buffer_append(&vs->output, data, len);
  }
  
-static void vnc_write_s32(VncState *vs, int32_t value)
+void vnc_write_s32(VncState *vs, int32_t value)
  {
      vnc_write_u32(vs, *(uint32_t *)&value);
  }
  
  {
      vnc_write_u32(vs, *(uint32_t *)&value);
  }
  
-static void vnc_write_u32(VncState *vs, uint32_t value)
+void vnc_write_u32(VncState *vs, uint32_t value)
  {
      uint8_t buf[4];
  
  {
      uint8_t buf[4];
  
@@ -829,7 +1208,7 @@ static void vnc_write_u32(VncState *vs, uint32_t value)
      vnc_write(vs, buf, 4);
  }
  
      vnc_write(vs, buf, 4);
  }
  
-static void vnc_write_u16(VncState *vs, uint16_t value)
+void vnc_write_u16(VncState *vs, uint16_t value)
  {
      uint8_t buf[2];
  
  {
      uint8_t buf[2];
  
@@ -839,87 +1218,53 @@ static void vnc_write_u16(VncState *vs, uint16_t value)
      vnc_write(vs, buf, 2);
  }
  
      vnc_write(vs, buf, 2);
  }
  
-static void vnc_write_u8(VncState *vs, uint8_t value)
+void vnc_write_u8(VncState *vs, uint8_t value)
  {
      vnc_write(vs, (char *)&value, 1);
  }
  
  {
      vnc_write(vs, (char *)&value, 1);
  }
  
-static void vnc_flush(VncState *vs)
+void vnc_flush(VncState *vs)
  {
  {
-    if (vs->output.offset)
-       vnc_client_write(vs);
+    if (vs->csock != -1 && vs->output.offset)
+        vnc_client_write(vs);
  }
  
  }
  
-static uint8_t read_u8(uint8_t *data, size_t offset)
+uint8_t read_u8(uint8_t *data, size_t offset)
  {
      return data[offset];
  }
  
  {
      return data[offset];
  }
  
-static uint16_t read_u16(uint8_t *data, size_t offset)
+uint16_t read_u16(uint8_t *data, size_t offset)
  {
      return ((data[offset] & 0xFF) << 8) | (data[offset + 1] & 0xFF);
  }
  
  {
      return ((data[offset] & 0xFF) << 8) | (data[offset + 1] & 0xFF);
  }
  
-static int32_t read_s32(uint8_t *data, size_t offset)
+int32_t read_s32(uint8_t *data, size_t offset)
  {
      return (int32_t)((data[offset] << 24) | (data[offset + 1] << 16) |
  {
      return (int32_t)((data[offset] << 24) | (data[offset + 1] << 16) |
-                    (data[offset + 2] << 8) | data[offset + 3]);
+                     (data[offset + 2] << 8) | data[offset + 3]);
  }
  
  }
  
-static uint32_t read_u32(uint8_t *data, size_t offset)
+uint32_t read_u32(uint8_t *data, size_t offset)
  {
      return ((data[offset] << 24) | (data[offset + 1] << 16) |
  {
      return ((data[offset] << 24) | (data[offset + 1] << 16) |
-           (data[offset + 2] << 8) | data[offset + 3]);
-}
-
-#ifdef CONFIG_VNC_TLS
-static ssize_t vnc_tls_push(gnutls_transport_ptr_t transport,
-                            const void *data,
-                            size_t len) {
-    struct VncState *vs = (struct VncState *)transport;
-    int ret;
-
- retry:
-    ret = send(vs->csock, data, len, 0);
-    if (ret < 0) {
-       if (errno == EINTR)
-           goto retry;
-       return -1;
-    }
-    return ret;
+            (data[offset + 2] << 8) | data[offset + 3]);
  }
  
  }
  
-
-static ssize_t vnc_tls_pull(gnutls_transport_ptr_t transport,
-                            void *data,
-                            size_t len) {
-    struct VncState *vs = (struct VncState *)transport;
-    int ret;
-
- retry:
-    ret = recv(vs->csock, data, len, 0);
-    if (ret < 0) {
-       if (errno == EINTR)
-           goto retry;
-       return -1;
-    }
-    return ret;
-}
-#endif /* CONFIG_VNC_TLS */
-
  static void client_cut_text(VncState *vs, size_t len, uint8_t *text)
  {
  }
  
  static void check_pointer_type_change(VncState *vs, int absolute)
  {
  static void client_cut_text(VncState *vs, size_t len, uint8_t *text)
  {
  }
  
  static void check_pointer_type_change(VncState *vs, int absolute)
  {
-    if (vs->has_pointer_type_change && vs->absolute != absolute) {
-       vnc_write_u8(vs, 0);
-       vnc_write_u8(vs, 0);
-       vnc_write_u16(vs, 1);
-       vnc_framebuffer_update(vs, absolute, 0,
-                              ds_get_width(vs->ds), ds_get_height(vs->ds), -257);
-       vnc_flush(vs);
+    if (vnc_has_feature(vs, VNC_FEATURE_POINTER_TYPE_CHANGE) && vs->absolute != absolute) {
+        vnc_write_u8(vs, 0);
+        vnc_write_u8(vs, 0);
+        vnc_write_u16(vs, 1);
+        vnc_framebuffer_update(vs, absolute, 0,
+                               ds_get_width(vs->ds), ds_get_height(vs->ds),
+                               VNC_ENCODING_POINTER_TYPE_CHANGE);
+        vnc_flush(vs);
      }
      vs->absolute = absolute;
  }
      }
      vs->absolute = absolute;
  }
@@ -930,32 +1275,32 @@ static void pointer_event(VncState *vs, int button_mask, int x, int y)
      int dz = 0;
  
      if (button_mask & 0x01)
      int dz = 0;
  
      if (button_mask & 0x01)
-       buttons |= MOUSE_EVENT_LBUTTON;
+        buttons |= MOUSE_EVENT_LBUTTON;
      if (button_mask & 0x02)
      if (button_mask & 0x02)
-       buttons |= MOUSE_EVENT_MBUTTON;
+        buttons |= MOUSE_EVENT_MBUTTON;
      if (button_mask & 0x04)
      if (button_mask & 0x04)
-       buttons |= MOUSE_EVENT_RBUTTON;
+        buttons |= MOUSE_EVENT_RBUTTON;
      if (button_mask & 0x08)
      if (button_mask & 0x08)
-       dz = -1;
+        dz = -1;
      if (button_mask & 0x10)
      if (button_mask & 0x10)
-       dz = 1;
+        dz = 1;
  
      if (vs->absolute) {
  
      if (vs->absolute) {
-       kbd_mouse_event(x * 0x7FFF / (ds_get_width(vs->ds) - 1),
-                       y * 0x7FFF / (ds_get_height(vs->ds) - 1),
-                       dz, buttons);
-    } else if (vs->has_pointer_type_change) {
-       x -= 0x7FFF;
-       y -= 0x7FFF;
-
-       kbd_mouse_event(x, y, dz, buttons);
+        kbd_mouse_event(x * 0x7FFF / (ds_get_width(vs->ds) - 1),
+                        y * 0x7FFF / (ds_get_height(vs->ds) - 1),
+                        dz, buttons);
+    } else if (vnc_has_feature(vs, VNC_FEATURE_POINTER_TYPE_CHANGE)) {
+        x -= 0x7FFF;
+        y -= 0x7FFF;
+
+        kbd_mouse_event(x, y, dz, buttons);
      } else {
      } else {
-       if (vs->last_x != -1)
-           kbd_mouse_event(x - vs->last_x,
-                           y - vs->last_y,
-                           dz, buttons);
-       vs->last_x = x;
-       vs->last_y = y;
+        if (vs->last_x != -1)
+            kbd_mouse_event(x - vs->last_x,
+                            y - vs->last_y,
+                            dz, buttons);
+        vs->last_x = x;
+        vs->last_y = y;
      }
  
      check_pointer_type_change(vs, kbd_mouse_is_absolute());
      }
  
      check_pointer_type_change(vs, kbd_mouse_is_absolute());
@@ -976,8 +1321,8 @@ static void reset_keys(VncState *vs)
  
  static void press_key(VncState *vs, int keysym)
  {
  
  static void press_key(VncState *vs, int keysym)
  {
-    kbd_put_keycode(keysym2scancode(vs->kbd_layout, keysym) & 0x7f);
-    kbd_put_keycode(keysym2scancode(vs->kbd_layout, keysym) | 0x80);
+    kbd_put_keycode(keysym2scancode(vs->vd->kbd_layout, keysym) & 0x7f);
+    kbd_put_keycode(keysym2scancode(vs->vd->kbd_layout, keysym) | 0x80);
  }
  
  static void do_key_event(VncState *vs, int down, int keycode, int sym)
  }
  
  static void do_key_event(VncState *vs, int down, int keycode, int sym)
@@ -1003,19 +1348,19 @@ static void do_key_event(VncState *vs, int down, int keycode, int sym)
              return;
          }
          break;
              return;
          }
          break;
-    case 0x3a:                 /* CapsLock */
-    case 0x45:                 /* NumLock */
+    case 0x3a:                        /* CapsLock */
+    case 0x45:                        /* NumLock */
          if (!down)
              vs->modifiers_state[keycode] ^= 1;
          break;
      }
  
          if (!down)
              vs->modifiers_state[keycode] ^= 1;
          break;
      }
  
-    if (keycode_is_keypad(vs->kbd_layout, keycode)) {
+    if (keycode_is_keypad(vs->vd->kbd_layout, keycode)) {
          /* If the numlock state needs to change then simulate an additional
             keypress before sending this one.  This will happen if the user
             toggles numlock away from the VNC window.
          */
          /* If the numlock state needs to change then simulate an additional
             keypress before sending this one.  This will happen if the user
             toggles numlock away from the VNC window.
          */
-        if (keysym_is_numlock(vs->kbd_layout, sym & 0xFFFF)) {
+        if (keysym_is_numlock(vs->vd->kbd_layout, sym & 0xFFFF)) {
              if (!vs->modifiers_state[0x45]) {
                  vs->modifiers_state[0x45] = 1;
                  press_key(vs, 0xff7f);
              if (!vs->modifiers_state[0x45]) {
                  vs->modifiers_state[0x45] = 1;
                  press_key(vs, 0xff7f);
@@ -1038,6 +1383,7 @@ static void do_key_event(VncState *vs, int down, int keycode, int sym)
      } else {
          /* QEMU console emulation */
          if (down) {
      } else {
          /* QEMU console emulation */
          if (down) {
+            int numlock = vs->modifiers_state[0x45];
              switch (keycode) {
              case 0x2a:                          /* Left Shift */
              case 0x36:                          /* Right Shift */
              switch (keycode) {
              case 0x2a:                          /* Left Shift */
              case 0x36:                          /* Right Shift */
@@ -1073,6 +1419,57 @@ static void do_key_event(VncState *vs, int down, int keycode, int sym)
              case 0xd1:
                  kbd_put_keysym(QEMU_KEY_PAGEDOWN);
                  break;
              case 0xd1:
                  kbd_put_keysym(QEMU_KEY_PAGEDOWN);
                  break;
+
+            case 0x47:
+                kbd_put_keysym(numlock ? '7' : QEMU_KEY_HOME);
+                break;
+            case 0x48:
+                kbd_put_keysym(numlock ? '8' : QEMU_KEY_UP);
+                break;
+            case 0x49:
+                kbd_put_keysym(numlock ? '9' : QEMU_KEY_PAGEUP);
+                break;
+            case 0x4b:
+                kbd_put_keysym(numlock ? '4' : QEMU_KEY_LEFT);
+                break;
+            case 0x4c:
+                kbd_put_keysym('5');
+                break;
+            case 0x4d:
+                kbd_put_keysym(numlock ? '6' : QEMU_KEY_RIGHT);
+                break;
+            case 0x4f:
+                kbd_put_keysym(numlock ? '1' : QEMU_KEY_END);
+                break;
+            case 0x50:
+                kbd_put_keysym(numlock ? '2' : QEMU_KEY_DOWN);
+                break;
+            case 0x51:
+                kbd_put_keysym(numlock ? '3' : QEMU_KEY_PAGEDOWN);
+                break;
+            case 0x52:
+                kbd_put_keysym('0');
+                break;
+            case 0x53:
+                kbd_put_keysym(numlock ? '.' : QEMU_KEY_DELETE);
+                break;
+
+            case 0xb5:
+                kbd_put_keysym('/');
+                break;
+            case 0x37:
+                kbd_put_keysym('*');
+                break;
+            case 0x4a:
+                kbd_put_keysym('-');
+                break;
+            case 0x4e:
+                kbd_put_keysym('+');
+                break;
+            case 0x9c:
+                kbd_put_keysym('\n');
+                break;
+
              default:
                  kbd_put_keysym(sym);
                  break;
              default:
                  kbd_put_keysym(sym);
                  break;
@@ -1086,9 +1483,9 @@ static void key_event(VncState *vs, int down, uint32_t sym)
      int keycode;
  
      if (sym >= 'A' && sym <= 'Z' && is_graphic_console())
      int keycode;
  
      if (sym >= 'A' && sym <= 'Z' && is_graphic_console())
-       sym = sym - 'A' + 'a';
+        sym = sym - 'A' + 'a';
  
  
-    keycode = keysym2scancode(vs->kbd_layout, sym & 0xFFFF);
+    keycode = keysym2scancode(vs->vd->kbd_layout, sym & 0xFFFF);
      do_key_event(vs, down, keycode, sym);
  }
  
      do_key_event(vs, down, keycode, sym);
  }
  
@@ -1103,8 +1500,8 @@ static void ext_key_event(VncState *vs, int down,
  }
  
  static void framebuffer_update_request(VncState *vs, int incremental,
  }
  
  static void framebuffer_update_request(VncState *vs, int incremental,
-                                      int x_position, int y_position,
-                                      int w, int h)
+                                       int x_position, int y_position,
+                                       int w, int h)
  {
      if (x_position > ds_get_width(vs->ds))
          x_position = ds_get_width(vs->ds);
  {
      if (x_position > ds_get_width(vs->ds))
          x_position = ds_get_width(vs->ds);
@@ -1118,14 +1515,13 @@ static void framebuffer_update_request(VncState *vs, int incremental,
      int i;
      vs->need_update = 1;
      if (!incremental) {
      int i;
      vs->need_update = 1;
      if (!incremental) {
-       char *old_row = vs->old_data + y_position * ds_get_linesize(vs->ds);
-
-       for (i = 0; i < h; i++) {
-            vnc_set_bits(vs->dirty_row[y_position + i],
+        vs->force_update = 1;
+        for (i = 0; i < h; i++) {
+            vnc_set_bits(vs->guest.dirty[y_position + i],
+                         (ds_get_width(vs->ds) / 16), VNC_DIRTY_WORDS);
+            vnc_set_bits(vs->server.dirty[y_position + i],
                           (ds_get_width(vs->ds) / 16), VNC_DIRTY_WORDS);
                           (ds_get_width(vs->ds) / 16), VNC_DIRTY_WORDS);
-           memset(old_row, 42, ds_get_width(vs->ds) * vs->depth);
-           old_row += ds_get_linesize(vs->ds);
-       }
+        }
      }
  }
  
      }
  }
  
@@ -1134,121 +1530,143 @@ static void send_ext_key_event_ack(VncState *vs)
      vnc_write_u8(vs, 0);
      vnc_write_u8(vs, 0);
      vnc_write_u16(vs, 1);
      vnc_write_u8(vs, 0);
      vnc_write_u8(vs, 0);
      vnc_write_u16(vs, 1);
-    vnc_framebuffer_update(vs, 0, 0, ds_get_width(vs->ds), ds_get_height(vs->ds), -258);
+    vnc_framebuffer_update(vs, 0, 0, ds_get_width(vs->ds), ds_get_height(vs->ds),
+                           VNC_ENCODING_EXT_KEY_EVENT);
+    vnc_flush(vs);
+}
+
+static void send_ext_audio_ack(VncState *vs)
+{
+    vnc_write_u8(vs, 0);
+    vnc_write_u8(vs, 0);
+    vnc_write_u16(vs, 1);
+    vnc_framebuffer_update(vs, 0, 0, ds_get_width(vs->ds), ds_get_height(vs->ds),
+                           VNC_ENCODING_AUDIO);
      vnc_flush(vs);
  }
  
  static void set_encodings(VncState *vs, int32_t *encodings, size_t n_encodings)
  {
      int i;
      vnc_flush(vs);
  }
  
  static void set_encodings(VncState *vs, int32_t *encodings, size_t n_encodings)
  {
      int i;
+    unsigned int enc = 0;
  
  
-    vs->has_hextile = 0;
-    vs->has_resize = 0;
-    vs->has_pointer_type_change = 0;
-    vs->has_WMVi = 0;
+    vnc_zlib_init(vs);
+    vs->features = 0;
+    vs->vnc_encoding = 0;
+    vs->tight_compression = 9;
+    vs->tight_quality = 9;
      vs->absolute = -1;
      vs->absolute = -1;
-    vs->ds->dpy_copy = NULL;
  
      for (i = n_encodings - 1; i >= 0; i--) {
  
      for (i = n_encodings - 1; i >= 0; i--) {
-       switch (encodings[i]) {
-       case 0: /* Raw */
-           vs->has_hextile = 0;
-           break;
-       case 1: /* CopyRect */
-           vs->ds->dpy_copy = vnc_copy;
-           break;
-       case 5: /* Hextile */
-           vs->has_hextile = 1;
-           break;
-       case -223: /* DesktopResize */
-           vs->has_resize = 1;
-           break;
-       case -257:
-           vs->has_pointer_type_change = 1;
-           break;
-        case -258:
+        enc = encodings[i];
+        switch (enc) {
+        case VNC_ENCODING_RAW:
+            vs->vnc_encoding = enc;
+            break;
+        case VNC_ENCODING_COPYRECT:
+            vs->features |= VNC_FEATURE_COPYRECT_MASK;
+            break;
+        case VNC_ENCODING_HEXTILE:
+            vs->features |= VNC_FEATURE_HEXTILE_MASK;
+            vs->vnc_encoding = enc;
+            break;
+        case VNC_ENCODING_ZLIB:
+            vs->features |= VNC_FEATURE_ZLIB_MASK;
+            vs->vnc_encoding = enc;
+            break;
+        case VNC_ENCODING_DESKTOPRESIZE:
+            vs->features |= VNC_FEATURE_RESIZE_MASK;
+            break;
+        case VNC_ENCODING_POINTER_TYPE_CHANGE:
+            vs->features |= VNC_FEATURE_POINTER_TYPE_CHANGE_MASK;
+            break;
+        case VNC_ENCODING_EXT_KEY_EVENT:
              send_ext_key_event_ack(vs);
              break;
              send_ext_key_event_ack(vs);
              break;
-        case 0x574D5669:
-            vs->has_WMVi = 1;
+        case VNC_ENCODING_AUDIO:
+            send_ext_audio_ack(vs);
+            break;
+        case VNC_ENCODING_WMVi:
+            vs->features |= VNC_FEATURE_WMVI_MASK;
+            break;
+        case VNC_ENCODING_COMPRESSLEVEL0 ... VNC_ENCODING_COMPRESSLEVEL0 + 9:
+            vs->tight_compression = (enc & 0x0F);
              break;
              break;
-       default:
-           break;
-       }
+        case VNC_ENCODING_QUALITYLEVEL0 ... VNC_ENCODING_QUALITYLEVEL0 + 9:
+            vs->tight_quality = (enc & 0x0F);
+            break;
+        default:
+            VNC_DEBUG("Unknown encoding: %d (0x%.8x): %d\n", i, enc, enc);
+            break;
+        }
      }
  
      check_pointer_type_change(vs, kbd_mouse_is_absolute());
  }
  
      }
  
      check_pointer_type_change(vs, kbd_mouse_is_absolute());
  }
  
-static void set_pixel_format(VncState *vs,
-                            int bits_per_pixel, int depth,
-                            int big_endian_flag, int true_color_flag,
-                            int red_max, int green_max, int blue_max,
-                            int red_shift, int green_shift, int blue_shift)
+static void set_pixel_conversion(VncState *vs)
  {
  {
-    int host_big_endian_flag;
-
-#ifdef WORDS_BIGENDIAN
-    host_big_endian_flag = 1;
-#else
-    host_big_endian_flag = 0;
-#endif
-    if (!true_color_flag) {
-    fail:
-       vnc_client_error(vs);
-        return;
-    }
-    if (bits_per_pixel == 32 &&
-        bits_per_pixel == vs->depth * 8 &&
-        host_big_endian_flag == big_endian_flag &&
-        red_max == 0xff && green_max == 0xff && blue_max == 0xff &&
-        red_shift == 16 && green_shift == 8 && blue_shift == 0) {
-        vs->depth = 4;
-        vs->write_pixels = vnc_write_pixels_copy;
-        vs->send_hextile_tile = send_hextile_tile_32;
-    } else
-    if (bits_per_pixel == 16 &&
-        bits_per_pixel == vs->depth * 8 && 
-        host_big_endian_flag == big_endian_flag &&
-        red_max == 31 && green_max == 63 && blue_max == 31 &&
-        red_shift == 11 && green_shift == 5 && blue_shift == 0) {
-        vs->depth = 2;
-        vs->write_pixels = vnc_write_pixels_copy;
-        vs->send_hextile_tile = send_hextile_tile_16;
-    } else
-    if (bits_per_pixel == 8 &&
-        bits_per_pixel == vs->depth * 8 &&
-        red_max == 7 && green_max == 7 && blue_max == 3 &&
-        red_shift == 5 && green_shift == 2 && blue_shift == 0) {
-        vs->depth = 1;
+    if ((vs->clientds.flags & QEMU_BIG_ENDIAN_FLAG) ==
+        (vs->ds->surface->flags & QEMU_BIG_ENDIAN_FLAG) && 
+        !memcmp(&(vs->clientds.pf), &(vs->ds->surface->pf), sizeof(PixelFormat))) {
          vs->write_pixels = vnc_write_pixels_copy;
          vs->write_pixels = vnc_write_pixels_copy;
-        vs->send_hextile_tile = send_hextile_tile_8;
-    } else
-    {
-        /* generic and slower case */
-        if (bits_per_pixel != 8 &&
-            bits_per_pixel != 16 &&
-            bits_per_pixel != 32)
-            goto fail;
-        if (vs->depth == 4) {
-            vs->send_hextile_tile = send_hextile_tile_generic_32;
-        } else if (vs->depth == 2) {
-           vs->send_hextile_tile = send_hextile_tile_generic_16;
-        } else {
-            vs->send_hextile_tile = send_hextile_tile_generic_8;
+        switch (vs->ds->surface->pf.bits_per_pixel) {
+            case 8:
+                vs->send_hextile_tile = send_hextile_tile_8;
+                break;
+            case 16:
+                vs->send_hextile_tile = send_hextile_tile_16;
+                break;
+            case 32:
+                vs->send_hextile_tile = send_hextile_tile_32;
+                break;
          }
          }
-
-        vs->pix_big_endian = big_endian_flag;
+    } else {
          vs->write_pixels = vnc_write_pixels_generic;
          vs->write_pixels = vnc_write_pixels_generic;
+        switch (vs->ds->surface->pf.bits_per_pixel) {
+            case 8:
+                vs->send_hextile_tile = send_hextile_tile_generic_8;
+                break;
+            case 16:
+                vs->send_hextile_tile = send_hextile_tile_generic_16;
+                break;
+            case 32:
+                vs->send_hextile_tile = send_hextile_tile_generic_32;
+                break;
+        }
+    }
+}
+
+static void set_pixel_format(VncState *vs,
+                             int bits_per_pixel, int depth,
+                             int big_endian_flag, int true_color_flag,
+                             int red_max, int green_max, int blue_max,
+                             int red_shift, int green_shift, int blue_shift)
+{
+    if (!true_color_flag) {
+        vnc_client_error(vs);
+        return;
      }
  
      }
  
-    vs->client_red_shift = red_shift;
-    vs->client_red_max = red_max;
-    vs->client_green_shift = green_shift;
-    vs->client_green_max = green_max;
-    vs->client_blue_shift = blue_shift;
-    vs->client_blue_max = blue_max;
-    vs->pix_bpp = bits_per_pixel / 8;
+    vs->clientds = *(vs->guest.ds);
+    vs->clientds.pf.rmax = red_max;
+    count_bits(vs->clientds.pf.rbits, red_max);
+    vs->clientds.pf.rshift = red_shift;
+    vs->clientds.pf.rmask = red_max << red_shift;
+    vs->clientds.pf.gmax = green_max;
+    count_bits(vs->clientds.pf.gbits, green_max);
+    vs->clientds.pf.gshift = green_shift;
+    vs->clientds.pf.gmask = green_max << green_shift;
+    vs->clientds.pf.bmax = blue_max;
+    count_bits(vs->clientds.pf.bbits, blue_max);
+    vs->clientds.pf.bshift = blue_shift;
+    vs->clientds.pf.bmask = blue_max << blue_shift;
+    vs->clientds.pf.bits_per_pixel = bits_per_pixel;
+    vs->clientds.pf.bytes_per_pixel = bits_per_pixel / 8;
+    vs->clientds.pf.depth = bits_per_pixel == 32 ? 24 : bits_per_pixel;
+    vs->clientds.flags = big_endian_flag ? QEMU_BIG_ENDIAN_FLAG : 0x00;
+
+    set_pixel_conversion(vs);
  
      vga_hw_invalidate();
      vga_hw_update();
  
      vga_hw_invalidate();
      vga_hw_update();
@@ -1257,147 +1675,52 @@ static void set_pixel_format(VncState *vs,
  static void pixel_format_message (VncState *vs) {
      char pad[3] = { 0, 0, 0 };
  
  static void pixel_format_message (VncState *vs) {
      char pad[3] = { 0, 0, 0 };
  
-    vnc_write_u8(vs, vs->depth * 8); /* bits-per-pixel */
-    if (vs->depth == 4) vnc_write_u8(vs, 24); /* depth */
-    else vnc_write_u8(vs, vs->depth * 8); /* depth */
+    vnc_write_u8(vs, vs->ds->surface->pf.bits_per_pixel); /* bits-per-pixel */
+    vnc_write_u8(vs, vs->ds->surface->pf.depth); /* depth */
  
  
-#ifdef WORDS_BIGENDIAN
+#ifdef HOST_WORDS_BIGENDIAN
      vnc_write_u8(vs, 1);             /* big-endian-flag */
  #else
      vnc_write_u8(vs, 0);             /* big-endian-flag */
  #endif
      vnc_write_u8(vs, 1);             /* true-color-flag */
      vnc_write_u8(vs, 1);             /* big-endian-flag */
  #else
      vnc_write_u8(vs, 0);             /* big-endian-flag */
  #endif
      vnc_write_u8(vs, 1);             /* true-color-flag */
-    if (vs->depth == 4) {
-        vnc_write_u16(vs, 0xFF);     /* red-max */
-        vnc_write_u16(vs, 0xFF);     /* green-max */
-        vnc_write_u16(vs, 0xFF);     /* blue-max */
-        vnc_write_u8(vs, 16);        /* red-shift */
-        vnc_write_u8(vs, 8);         /* green-shift */
-        vnc_write_u8(vs, 0);         /* blue-shift */
+    vnc_write_u16(vs, vs->ds->surface->pf.rmax);     /* red-max */
+    vnc_write_u16(vs, vs->ds->surface->pf.gmax);     /* green-max */
+    vnc_write_u16(vs, vs->ds->surface->pf.bmax);     /* blue-max */
+    vnc_write_u8(vs, vs->ds->surface->pf.rshift);    /* red-shift */
+    vnc_write_u8(vs, vs->ds->surface->pf.gshift);    /* green-shift */
+    vnc_write_u8(vs, vs->ds->surface->pf.bshift);    /* blue-shift */
+    if (vs->ds->surface->pf.bits_per_pixel == 32)
          vs->send_hextile_tile = send_hextile_tile_32;
          vs->send_hextile_tile = send_hextile_tile_32;
-    } else if (vs->depth == 2) {
-        vnc_write_u16(vs, 31);       /* red-max */
-        vnc_write_u16(vs, 63);       /* green-max */
-        vnc_write_u16(vs, 31);       /* blue-max */
-        vnc_write_u8(vs, 11);        /* red-shift */
-        vnc_write_u8(vs, 5);         /* green-shift */
-        vnc_write_u8(vs, 0);         /* blue-shift */
+    else if (vs->ds->surface->pf.bits_per_pixel == 16)
          vs->send_hextile_tile = send_hextile_tile_16;
          vs->send_hextile_tile = send_hextile_tile_16;
-    } else if (vs->depth == 1) {
-        /* XXX: change QEMU pixel 8 bit pixel format to match the VNC one ? */
-        vnc_write_u16(vs, 7);        /* red-max */
-        vnc_write_u16(vs, 7);        /* green-max */
-        vnc_write_u16(vs, 3);        /* blue-max */
-        vnc_write_u8(vs, 5);         /* red-shift */
-        vnc_write_u8(vs, 2);         /* green-shift */
-        vnc_write_u8(vs, 0);         /* blue-shift */
+    else if (vs->ds->surface->pf.bits_per_pixel == 8)
          vs->send_hextile_tile = send_hextile_tile_8;
          vs->send_hextile_tile = send_hextile_tile_8;
-    }
-    vs->client_red_max = vs->server_red_max;
-    vs->client_green_max = vs->server_green_max;
-    vs->client_blue_max = vs->server_blue_max;
-    vs->client_red_shift = vs->server_red_shift;
-    vs->client_green_shift = vs->server_green_shift;
-    vs->client_blue_shift = vs->server_blue_shift;
-    vs->pix_bpp = vs->depth * 8;
+    vs->clientds = *(vs->ds->surface);
+    vs->clientds.flags &= ~QEMU_ALLOCATED_FLAG;
      vs->write_pixels = vnc_write_pixels_copy;
  
      vnc_write(vs, pad, 3);           /* padding */
  }
  
      vs->write_pixels = vnc_write_pixels_copy;
  
      vnc_write(vs, pad, 3);           /* padding */
  }
  
-static void vnc_colordepth(DisplayState *ds, int depth)
+static void vnc_dpy_setdata(DisplayState *ds)
  {
  {
-    int host_big_endian_flag;
-    struct VncState *vs = ds->opaque;
-
-    switch (depth) {
-        case 24:
-            if (ds->depth == 32) return;
-            depth = 32;
-            break;
-        case 15:
-        case 8:
-        case 0:
-            return;
-        default:
-            break;
-    }
-
-#ifdef WORDS_BIGENDIAN
-    host_big_endian_flag = 1;
-#else
-    host_big_endian_flag = 0;
-#endif   
-    
-    switch (depth) {
-        case 8:
-            vs->depth = depth / 8;
-            vs->server_red_max = 7;
-            vs->server_green_max = 7;
-            vs->server_blue_max = 3;
-            vs->server_red_shift = 5;
-            vs->server_green_shift = 2;
-            vs->server_blue_shift = 0;
-            break;
-        case 16:
-            vs->depth = depth / 8;
-            vs->server_red_max = 31;
-            vs->server_green_max = 63;
-            vs->server_blue_max = 31;
-            vs->server_red_shift = 11;
-            vs->server_green_shift = 5;
-            vs->server_blue_shift = 0;
-            break;
-        case 32:
-            vs->depth = 4;
-            vs->server_red_max = 255;
-            vs->server_green_max = 255;
-            vs->server_blue_max = 255;
-            vs->server_red_shift = 16;
-            vs->server_green_shift = 8;
-            vs->server_blue_shift = 0;
-            break;
-        default:
-            return;
-    }
+    /* We don't have to do anything */
+}
  
  
-    if (vs->csock != -1 && vs->has_WMVi) {
+static void vnc_colordepth(VncState *vs)
+{
+    if (vnc_has_feature(vs, VNC_FEATURE_WMVI)) {
          /* Sending a WMVi message to notify the client*/
          vnc_write_u8(vs, 0);  /* msg id */
          vnc_write_u8(vs, 0);
          vnc_write_u16(vs, 1); /* number of rects */
          /* Sending a WMVi message to notify the client*/
          vnc_write_u8(vs, 0);  /* msg id */
          vnc_write_u8(vs, 0);
          vnc_write_u16(vs, 1); /* number of rects */
-        vnc_framebuffer_update(vs, 0, 0, ds->width, ds->height, 0x574D5669);
+        vnc_framebuffer_update(vs, 0, 0, ds_get_width(vs->ds), 
+                               ds_get_height(vs->ds), VNC_ENCODING_WMVi);
          pixel_format_message(vs);
          vnc_flush(vs);
      } else {
          pixel_format_message(vs);
          vnc_flush(vs);
      } else {
-        if (vs->pix_bpp == 4 && vs->depth == 4 &&
-                host_big_endian_flag == vs->pix_big_endian &&
-                vs->client_red_max == 0xff && vs->client_green_max == 0xff && vs->client_blue_max == 0xff &&
-                vs->client_red_shift == 16 && vs->client_green_shift == 8 && vs->client_blue_shift == 0) {
-            vs->write_pixels = vnc_write_pixels_copy;
-            vs->send_hextile_tile = send_hextile_tile_32;
-        } else if (vs->pix_bpp == 2 && vs->depth == 2 &&
-                host_big_endian_flag == vs->pix_big_endian &&
-                vs->client_red_max == 31 && vs->client_green_max == 63 && vs->client_blue_max == 31 &&
-                vs->client_red_shift == 11 && vs->client_green_shift == 5 && vs->client_blue_shift == 0) {
-            vs->write_pixels = vnc_write_pixels_copy;
-            vs->send_hextile_tile = send_hextile_tile_16;
-        } else if (vs->pix_bpp == 1 && vs->depth == 1 &&
-                host_big_endian_flag == vs->pix_big_endian &&
-                vs->client_red_max == 7 && vs->client_green_max == 7 && vs->client_blue_max == 3 &&
-                vs->client_red_shift == 5 && vs->client_green_shift == 2 && vs->client_blue_shift == 0) {
-            vs->write_pixels = vnc_write_pixels_copy;
-            vs->send_hextile_tile = send_hextile_tile_8;
-        } else {
-            if (vs->depth == 4) {
-                vs->send_hextile_tile = send_hextile_tile_generic_32;
-            } else if (vs->depth == 2) {
-                vs->send_hextile_tile = send_hextile_tile_generic_16;
-            } else {
-                vs->send_hextile_tile = send_hextile_tile_generic_8;
-            }
-            vs->write_pixels = vnc_write_pixels_generic;
-        }
+        set_pixel_conversion(vs);
      }
  }
  
      }
  }
  
@@ -1408,62 +1731,65 @@ static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len)
  
      switch (data[0]) {
      case 0:
  
      switch (data[0]) {
      case 0:
-       if (len == 1)
-           return 20;
-
-       set_pixel_format(vs, read_u8(data, 4), read_u8(data, 5),
-                        read_u8(data, 6), read_u8(data, 7),
-                        read_u16(data, 8), read_u16(data, 10),
-                        read_u16(data, 12), read_u8(data, 14),
-                        read_u8(data, 15), read_u8(data, 16));
-       break;
-    case 2:
-       if (len == 1)
-           return 4;
-
-       if (len == 4)
-           return 4 + (read_u16(data, 2) * 4);
+        if (len == 1)
+            return 20;
  
  
-       limit = read_u16(data, 2);
-       for (i = 0; i < limit; i++) {
-           int32_t val = read_s32(data, 4 + (i * 4));
-           memcpy(data + 4 + (i * 4), &val, sizeof(val));
-       }
+        set_pixel_format(vs, read_u8(data, 4), read_u8(data, 5),
+                         read_u8(data, 6), read_u8(data, 7),
+                         read_u16(data, 8), read_u16(data, 10),
+                         read_u16(data, 12), read_u8(data, 14),
+                         read_u8(data, 15), read_u8(data, 16));
+        break;
+    case 2:
+        if (len == 1)
+            return 4;
+
+        if (len == 4) {
+            limit = read_u16(data, 2);
+            if (limit > 0)
+                return 4 + (limit * 4);
+        } else
+            limit = read_u16(data, 2);
+
+        for (i = 0; i < limit; i++) {
+            int32_t val = read_s32(data, 4 + (i * 4));
+            memcpy(data + 4 + (i * 4), &val, sizeof(val));
+        }
  
  
-       set_encodings(vs, (int32_t *)(data + 4), limit);
-       break;
+        set_encodings(vs, (int32_t *)(data + 4), limit);
+        break;
      case 3:
      case 3:
-       if (len == 1)
-           return 10;
+        if (len == 1)
+            return 10;
  
  
-       framebuffer_update_request(vs,
-                                  read_u8(data, 1), read_u16(data, 2), read_u16(data, 4),
-                                  read_u16(data, 6), read_u16(data, 8));
-       break;
+        framebuffer_update_request(vs,
+                                   read_u8(data, 1), read_u16(data, 2), read_u16(data, 4),
+                                   read_u16(data, 6), read_u16(data, 8));
+        break;
      case 4:
      case 4:
-       if (len == 1)
-           return 8;
+        if (len == 1)
+            return 8;
  
  
-       key_event(vs, read_u8(data, 1), read_u32(data, 4));
-       break;
+        key_event(vs, read_u8(data, 1), read_u32(data, 4));
+        break;
      case 5:
      case 5:
-       if (len == 1)
-           return 6;
+        if (len == 1)
+            return 6;
  
  
-       pointer_event(vs, read_u8(data, 1), read_u16(data, 2), read_u16(data, 4));
-       break;
+        pointer_event(vs, read_u8(data, 1), read_u16(data, 2), read_u16(data, 4));
+        break;
      case 6:
      case 6:
-       if (len == 1)
-           return 8;
+        if (len == 1)
+            return 8;
  
  
-       if (len == 8) {
+        if (len == 8) {
              uint32_t dlen = read_u32(data, 4);
              if (dlen > 0)
                  return 8 + dlen;
          }
  
              uint32_t dlen = read_u32(data, 4);
              if (dlen > 0)
                  return 8 + dlen;
          }
  
-       client_cut_text(vs, read_u32(data, 4), data + 8);
-       break;
+        client_cut_text(vs, read_u32(data, 4), data + 8);
+        break;
      case 255:
          if (len == 1)
              return 2;
      case 255:
          if (len == 1)
              return 2;
@@ -1476,6 +1802,48 @@ static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len)
              ext_key_event(vs, read_u16(data, 2),
                            read_u32(data, 4), read_u32(data, 8));
              break;
              ext_key_event(vs, read_u16(data, 2),
                            read_u32(data, 4), read_u32(data, 8));
              break;
+        case 1:
+            if (len == 2)
+                return 4;
+
+            switch (read_u16 (data, 2)) {
+            case 0:
+                audio_add(vs);
+                break;
+            case 1:
+                audio_del(vs);
+                break;
+            case 2:
+                if (len == 4)
+                    return 10;
+                switch (read_u8(data, 4)) {
+                case 0: vs->as.fmt = AUD_FMT_U8; break;
+                case 1: vs->as.fmt = AUD_FMT_S8; break;
+                case 2: vs->as.fmt = AUD_FMT_U16; break;
+                case 3: vs->as.fmt = AUD_FMT_S16; break;
+                case 4: vs->as.fmt = AUD_FMT_U32; break;
+                case 5: vs->as.fmt = AUD_FMT_S32; break;
+                default:
+                    printf("Invalid audio format %d\n", read_u8(data, 4));
+                    vnc_client_error(vs);
+                    break;
+                }
+                vs->as.nchannels = read_u8(data, 5);
+                if (vs->as.nchannels != 1 && vs->as.nchannels != 2) {
+                    printf("Invalid audio channel coount %d\n",
+                           read_u8(data, 5));
+                    vnc_client_error(vs);
+                    break;
+                }
+                vs->as.freq = read_u32(data, 6);
+                break;
+            default:
+                printf ("Invalid audio message %d\n", read_u8(data, 4));
+                vnc_client_error(vs);
+                break;
+            }
+            break;
+
          default:
              printf("Msg: %d\n", read_u16(data, 0));
              vnc_client_error(vs);
          default:
              printf("Msg: %d\n", read_u16(data, 0));
              vnc_client_error(vs);
@@ -1483,9 +1851,9 @@ static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len)
          }
          break;
      default:
          }
          break;
      default:
-       printf("Msg: %d\n", data[0]);
-       vnc_client_error(vs);
-       break;
+        printf("Msg: %d\n", data[0]);
+        vnc_client_error(vs);
+        break;
      }
  
      vnc_read_when(vs, protocol_client_msg, 1);
      }
  
      vnc_read_when(vs, protocol_client_msg, 1);
@@ -1497,8 +1865,6 @@ static int protocol_client_init(VncState *vs, uint8_t *data, size_t len)
      char buf[1024];
      int size;
  
      char buf[1024];
      int size;
  
-    vs->width = ds_get_width(vs->ds);
-    vs->height = ds_get_height(vs->ds);
      vnc_write_u16(vs, ds_get_width(vs->ds));
      vnc_write_u16(vs, ds_get_height(vs->ds));
  
      vnc_write_u16(vs, ds_get_width(vs->ds));
      vnc_write_u16(vs, ds_get_height(vs->ds));
  
@@ -1518,6 +1884,11 @@ static int protocol_client_init(VncState *vs, uint8_t *data, size_t len)
      return 0;
  }
  
      return 0;
  }
  
+void start_client_init(VncState *vs)
+{
+    vnc_read_when(vs, protocol_client_init, 1);
+}
+
  static void make_challenge(VncState *vs)
  {
      int i;
  static void make_challenge(VncState *vs)
  {
      int i;
@@ -1534,51 +1905,51 @@ static int protocol_client_auth_vnc(VncState *vs, uint8_t *data, size_t len)
      int i, j, pwlen;
      unsigned char key[8];
  
      int i, j, pwlen;
      unsigned char key[8];
  
-    if (!vs->password || !vs->password[0]) {
-       VNC_DEBUG("No password configured on server");
-       vnc_write_u32(vs, 1); /* Reject auth */
-       if (vs->minor >= 8) {
-           static const char err[] = "Authentication failed";
-           vnc_write_u32(vs, sizeof(err));
-           vnc_write(vs, err, sizeof(err));
-       }
-       vnc_flush(vs);
-       vnc_client_error(vs);
-       return 0;
+    if (!vs->vd->password || !vs->vd->password[0]) {
+        VNC_DEBUG("No password configured on server");
+        vnc_write_u32(vs, 1); /* Reject auth */
+        if (vs->minor >= 8) {
+            static const char err[] = "Authentication failed";
+            vnc_write_u32(vs, sizeof(err));
+            vnc_write(vs, err, sizeof(err));
+        }
+        vnc_flush(vs);
+        vnc_client_error(vs);
+        return 0;
      }
  
      memcpy(response, vs->challenge, VNC_AUTH_CHALLENGE_SIZE);
  
      /* Calculate the expected challenge response */
      }
  
      memcpy(response, vs->challenge, VNC_AUTH_CHALLENGE_SIZE);
  
      /* Calculate the expected challenge response */
-    pwlen = strlen(vs->password);
+    pwlen = strlen(vs->vd->password);
      for (i=0; i<sizeof(key); i++)
      for (i=0; i<sizeof(key); i++)
-        key[i] = i<pwlen ? vs->password[i] : 0;
+        key[i] = i<pwlen ? vs->vd->password[i] : 0;
      deskey(key, EN0);
      for (j = 0; j < VNC_AUTH_CHALLENGE_SIZE; j += 8)
          des(response+j, response+j);
  
      /* Compare expected vs actual challenge response */
      if (memcmp(response, data, VNC_AUTH_CHALLENGE_SIZE) != 0) {
      deskey(key, EN0);
      for (j = 0; j < VNC_AUTH_CHALLENGE_SIZE; j += 8)
          des(response+j, response+j);
  
      /* Compare expected vs actual challenge response */
      if (memcmp(response, data, VNC_AUTH_CHALLENGE_SIZE) != 0) {
-       VNC_DEBUG("Client challenge reponse did not match\n");
-       vnc_write_u32(vs, 1); /* Reject auth */
-       if (vs->minor >= 8) {
-           static const char err[] = "Authentication failed";
-           vnc_write_u32(vs, sizeof(err));
-           vnc_write(vs, err, sizeof(err));
-       }
-       vnc_flush(vs);
-       vnc_client_error(vs);
+        VNC_DEBUG("Client challenge reponse did not match\n");
+        vnc_write_u32(vs, 1); /* Reject auth */
+        if (vs->minor >= 8) {
+            static const char err[] = "Authentication failed";
+            vnc_write_u32(vs, sizeof(err));
+            vnc_write(vs, err, sizeof(err));
+        }
+        vnc_flush(vs);
+        vnc_client_error(vs);
      } else {
      } else {
-       VNC_DEBUG("Accepting VNC challenge response\n");
-       vnc_write_u32(vs, 0); /* Accept auth */
-       vnc_flush(vs);
+        VNC_DEBUG("Accepting VNC challenge response\n");
+        vnc_write_u32(vs, 0); /* Accept auth */
+        vnc_flush(vs);
  
  
-       vnc_read_when(vs, protocol_client_init, 1);
+        start_client_init(vs);
      }
      return 0;
  }
  
      }
      return 0;
  }
  
-static int start_auth_vnc(VncState *vs)
+void start_auth_vnc(VncState *vs)
  {
      make_challenge(vs);
      /* Send client a 'random' challenge */
  {
      make_challenge(vs);
      /* Send client a 'random' challenge */
@@ -1586,425 +1957,15 @@ static int start_auth_vnc(VncState *vs)
      vnc_flush(vs);
  
      vnc_read_when(vs, protocol_client_auth_vnc, sizeof(vs->challenge));
      vnc_flush(vs);
  
      vnc_read_when(vs, protocol_client_auth_vnc, sizeof(vs->challenge));
-    return 0;
-}
-
-
-#ifdef CONFIG_VNC_TLS
-#define DH_BITS 1024
-static gnutls_dh_params_t dh_params;
-
-static int vnc_tls_initialize(void)
-{
-    static int tlsinitialized = 0;
-
-    if (tlsinitialized)
-       return 1;
-
-    if (gnutls_global_init () < 0)
-       return 0;
-
-    /* XXX ought to re-generate diffie-hellmen params periodically */
-    if (gnutls_dh_params_init (&dh_params) < 0)
-       return 0;
-    if (gnutls_dh_params_generate2 (dh_params, DH_BITS) < 0)
-       return 0;
-
-#if defined(_VNC_DEBUG) && _VNC_DEBUG >= 2
-    gnutls_global_set_log_level(10);
-    gnutls_global_set_log_function(vnc_debug_gnutls_log);
-#endif
-
-    tlsinitialized = 1;
-
-    return 1;
  }
  
  }
  
-static gnutls_anon_server_credentials vnc_tls_initialize_anon_cred(void)
-{
-    gnutls_anon_server_credentials anon_cred;
-    int ret;
-
-    if ((ret = gnutls_anon_allocate_server_credentials(&anon_cred)) < 0) {
-       VNC_DEBUG("Cannot allocate credentials %s\n", gnutls_strerror(ret));
-       return NULL;
-    }
-
-    gnutls_anon_set_server_dh_params(anon_cred, dh_params);
-
-    return anon_cred;
-}
-
-
-static gnutls_certificate_credentials_t vnc_tls_initialize_x509_cred(VncState *vs)
-{
-    gnutls_certificate_credentials_t x509_cred;
-    int ret;
-
-    if (!vs->x509cacert) {
-       VNC_DEBUG("No CA x509 certificate specified\n");
-       return NULL;
-    }
-    if (!vs->x509cert) {
-       VNC_DEBUG("No server x509 certificate specified\n");
-       return NULL;
-    }
-    if (!vs->x509key) {
-       VNC_DEBUG("No server private key specified\n");
-       return NULL;
-    }
-
-    if ((ret = gnutls_certificate_allocate_credentials(&x509_cred)) < 0) {
-       VNC_DEBUG("Cannot allocate credentials %s\n", gnutls_strerror(ret));
-       return NULL;
-    }
-    if ((ret = gnutls_certificate_set_x509_trust_file(x509_cred,
-                                                     vs->x509cacert,
-                                                     GNUTLS_X509_FMT_PEM)) < 0) {
-       VNC_DEBUG("Cannot load CA certificate %s\n", gnutls_strerror(ret));
-       gnutls_certificate_free_credentials(x509_cred);
-       return NULL;
-    }
-
-    if ((ret = gnutls_certificate_set_x509_key_file (x509_cred,
-                                                    vs->x509cert,
-                                                    vs->x509key,
-                                                    GNUTLS_X509_FMT_PEM)) < 0) {
-       VNC_DEBUG("Cannot load certificate & key %s\n", gnutls_strerror(ret));
-       gnutls_certificate_free_credentials(x509_cred);
-       return NULL;
-    }
-
-    if (vs->x509cacrl) {
-       if ((ret = gnutls_certificate_set_x509_crl_file(x509_cred,
-                                                       vs->x509cacrl,
-                                                       GNUTLS_X509_FMT_PEM)) < 0) {
-           VNC_DEBUG("Cannot load CRL %s\n", gnutls_strerror(ret));
-           gnutls_certificate_free_credentials(x509_cred);
-           return NULL;
-       }
-    }
-
-    gnutls_certificate_set_dh_params (x509_cred, dh_params);
-
-    return x509_cred;
-}
-
-static int vnc_validate_certificate(struct VncState *vs)
-{
-    int ret;
-    unsigned int status;
-    const gnutls_datum_t *certs;
-    unsigned int nCerts, i;
-    time_t now;
-
-    VNC_DEBUG("Validating client certificate\n");
-    if ((ret = gnutls_certificate_verify_peers2 (vs->tls_session, &status)) < 0) {
-       VNC_DEBUG("Verify failed %s\n", gnutls_strerror(ret));
-       return -1;
-    }
-
-    if ((now = time(NULL)) == ((time_t)-1)) {
-       return -1;
-    }
-
-    if (status != 0) {
-       if (status & GNUTLS_CERT_INVALID)
-           VNC_DEBUG("The certificate is not trusted.\n");
-
-       if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
-           VNC_DEBUG("The certificate hasn't got a known issuer.\n");
-
-       if (status & GNUTLS_CERT_REVOKED)
-           VNC_DEBUG("The certificate has been revoked.\n");
-
-       if (status & GNUTLS_CERT_INSECURE_ALGORITHM)
-           VNC_DEBUG("The certificate uses an insecure algorithm\n");
-
-       return -1;
-    } else {
-       VNC_DEBUG("Certificate is valid!\n");
-    }
-
-    /* Only support x509 for now */
-    if (gnutls_certificate_type_get(vs->tls_session) != GNUTLS_CRT_X509)
-       return -1;
-
-    if (!(certs = gnutls_certificate_get_peers(vs->tls_session, &nCerts)))
-       return -1;
-
-    for (i = 0 ; i < nCerts ; i++) {
-       gnutls_x509_crt_t cert;
-       VNC_DEBUG ("Checking certificate chain %d\n", i);
-       if (gnutls_x509_crt_init (&cert) < 0)
-           return -1;
-
-       if (gnutls_x509_crt_import(cert, &certs[i], GNUTLS_X509_FMT_DER) < 0) {
-           gnutls_x509_crt_deinit (cert);
-           return -1;
-       }
-
-       if (gnutls_x509_crt_get_expiration_time (cert) < now) {
-           VNC_DEBUG("The certificate has expired\n");
-           gnutls_x509_crt_deinit (cert);
-           return -1;
-       }
-
-       if (gnutls_x509_crt_get_activation_time (cert) > now) {
-           VNC_DEBUG("The certificate is not yet activated\n");
-           gnutls_x509_crt_deinit (cert);
-           return -1;
-       }
-
-       if (gnutls_x509_crt_get_activation_time (cert) > now) {
-           VNC_DEBUG("The certificate is not yet activated\n");
-           gnutls_x509_crt_deinit (cert);
-           return -1;
-       }
-
-       gnutls_x509_crt_deinit (cert);
-    }
-
-    return 0;
-}
-
-
-static int start_auth_vencrypt_subauth(VncState *vs)
-{
-    switch (vs->subauth) {
-    case VNC_AUTH_VENCRYPT_TLSNONE:
-    case VNC_AUTH_VENCRYPT_X509NONE:
-       VNC_DEBUG("Accept TLS auth none\n");
-       vnc_write_u32(vs, 0); /* Accept auth completion */
-       vnc_read_when(vs, protocol_client_init, 1);
-       break;
-
-    case VNC_AUTH_VENCRYPT_TLSVNC:
-    case VNC_AUTH_VENCRYPT_X509VNC:
-       VNC_DEBUG("Start TLS auth VNC\n");
-       return start_auth_vnc(vs);
-
-    default: /* Should not be possible, but just in case */
-       VNC_DEBUG("Reject auth %d\n", vs->auth);
-       vnc_write_u8(vs, 1);
-       if (vs->minor >= 8) {
-           static const char err[] = "Unsupported authentication type";
-           vnc_write_u32(vs, sizeof(err));
-           vnc_write(vs, err, sizeof(err));
-       }
-       vnc_client_error(vs);
-    }
-
-    return 0;
-}
-
-static void vnc_handshake_io(void *opaque);
-
-static int vnc_continue_handshake(struct VncState *vs) {
-    int ret;
-
-    if ((ret = gnutls_handshake(vs->tls_session)) < 0) {
-       if (!gnutls_error_is_fatal(ret)) {
-           VNC_DEBUG("Handshake interrupted (blocking)\n");
-           if (!gnutls_record_get_direction(vs->tls_session))
-               qemu_set_fd_handler(vs->csock, vnc_handshake_io, NULL, vs);
-           else
-               qemu_set_fd_handler(vs->csock, NULL, vnc_handshake_io, vs);
-           return 0;
-       }
-       VNC_DEBUG("Handshake failed %s\n", gnutls_strerror(ret));
-       vnc_client_error(vs);
-       return -1;
-    }
-
-    if (vs->x509verify) {
-       if (vnc_validate_certificate(vs) < 0) {
-           VNC_DEBUG("Client verification failed\n");
-           vnc_client_error(vs);
-           return -1;
-       } else {
-           VNC_DEBUG("Client verification passed\n");
-       }
-    }
-
-    VNC_DEBUG("Handshake done, switching to TLS data mode\n");
-    vs->wiremode = VNC_WIREMODE_TLS;
-    qemu_set_fd_handler2(vs->csock, NULL, vnc_client_read, vnc_client_write, vs);
-
-    return start_auth_vencrypt_subauth(vs);
-}
-
-static void vnc_handshake_io(void *opaque) {
-    struct VncState *vs = (struct VncState *)opaque;
-
-    VNC_DEBUG("Handshake IO continue\n");
-    vnc_continue_handshake(vs);
-}
-
-#define NEED_X509_AUTH(vs)                           \
-    ((vs)->subauth == VNC_AUTH_VENCRYPT_X509NONE ||   \
-     (vs)->subauth == VNC_AUTH_VENCRYPT_X509VNC ||    \
-     (vs)->subauth == VNC_AUTH_VENCRYPT_X509PLAIN)
-
-
-static int vnc_start_tls(struct VncState *vs) {
-    static const int cert_type_priority[] = { GNUTLS_CRT_X509, 0 };
-    static const int protocol_priority[]= { GNUTLS_TLS1_1, GNUTLS_TLS1_0, GNUTLS_SSL3, 0 };
-    static const int kx_anon[] = {GNUTLS_KX_ANON_DH, 0};
-    static const int kx_x509[] = {GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA, GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, 0};
-
-    VNC_DEBUG("Do TLS setup\n");
-    if (vnc_tls_initialize() < 0) {
-       VNC_DEBUG("Failed to init TLS\n");
-       vnc_client_error(vs);
-       return -1;
-    }
-    if (vs->tls_session == NULL) {
-       if (gnutls_init(&vs->tls_session, GNUTLS_SERVER) < 0) {
-           vnc_client_error(vs);
-           return -1;
-       }
-
-       if (gnutls_set_default_priority(vs->tls_session) < 0) {
-           gnutls_deinit(vs->tls_session);
-           vs->tls_session = NULL;
-           vnc_client_error(vs);
-           return -1;
-       }
-
-       if (gnutls_kx_set_priority(vs->tls_session, NEED_X509_AUTH(vs) ? kx_x509 : kx_anon) < 0) {
-           gnutls_deinit(vs->tls_session);
-           vs->tls_session = NULL;
-           vnc_client_error(vs);
-           return -1;
-       }
-
-       if (gnutls_certificate_type_set_priority(vs->tls_session, cert_type_priority) < 0) {
-           gnutls_deinit(vs->tls_session);
-           vs->tls_session = NULL;
-           vnc_client_error(vs);
-           return -1;
-       }
-
-       if (gnutls_protocol_set_priority(vs->tls_session, protocol_priority) < 0) {
-           gnutls_deinit(vs->tls_session);
-           vs->tls_session = NULL;
-           vnc_client_error(vs);
-           return -1;
-       }
-
-       if (NEED_X509_AUTH(vs)) {
-           gnutls_certificate_server_credentials x509_cred = vnc_tls_initialize_x509_cred(vs);
-           if (!x509_cred) {
-               gnutls_deinit(vs->tls_session);
-               vs->tls_session = NULL;
-               vnc_client_error(vs);
-               return -1;
-           }
-           if (gnutls_credentials_set(vs->tls_session, GNUTLS_CRD_CERTIFICATE, x509_cred) < 0) {
-               gnutls_deinit(vs->tls_session);
-               vs->tls_session = NULL;
-               gnutls_certificate_free_credentials(x509_cred);
-               vnc_client_error(vs);
-               return -1;
-           }
-           if (vs->x509verify) {
-               VNC_DEBUG("Requesting a client certificate\n");
-               gnutls_certificate_server_set_request (vs->tls_session, GNUTLS_CERT_REQUEST);
-           }
-
-       } else {
-           gnutls_anon_server_credentials anon_cred = vnc_tls_initialize_anon_cred();
-           if (!anon_cred) {
-               gnutls_deinit(vs->tls_session);
-               vs->tls_session = NULL;
-               vnc_client_error(vs);
-               return -1;
-           }
-           if (gnutls_credentials_set(vs->tls_session, GNUTLS_CRD_ANON, anon_cred) < 0) {
-               gnutls_deinit(vs->tls_session);
-               vs->tls_session = NULL;
-               gnutls_anon_free_server_credentials(anon_cred);
-               vnc_client_error(vs);
-               return -1;
-           }
-       }
-
-       gnutls_transport_set_ptr(vs->tls_session, (gnutls_transport_ptr_t)vs);
-       gnutls_transport_set_push_function(vs->tls_session, vnc_tls_push);
-       gnutls_transport_set_pull_function(vs->tls_session, vnc_tls_pull);
-    }
-
-    VNC_DEBUG("Start TLS handshake process\n");
-    return vnc_continue_handshake(vs);
-}
-
-static int protocol_client_vencrypt_auth(VncState *vs, uint8_t *data, size_t len)
-{
-    int auth = read_u32(data, 0);
-
-    if (auth != vs->subauth) {
-       VNC_DEBUG("Rejecting auth %d\n", auth);
-       vnc_write_u8(vs, 0); /* Reject auth */
-       vnc_flush(vs);
-       vnc_client_error(vs);
-    } else {
-       VNC_DEBUG("Accepting auth %d, starting handshake\n", auth);
-       vnc_write_u8(vs, 1); /* Accept auth */
-       vnc_flush(vs);
-
-       if (vnc_start_tls(vs) < 0) {
-           VNC_DEBUG("Failed to complete TLS\n");
-           return 0;
-       }
-
-       if (vs->wiremode == VNC_WIREMODE_TLS) {
-           VNC_DEBUG("Starting VeNCrypt subauth\n");
-           return start_auth_vencrypt_subauth(vs);
-       } else {
-           VNC_DEBUG("TLS handshake blocked\n");
-           return 0;
-       }
-    }
-    return 0;
-}
-
-static int protocol_client_vencrypt_init(VncState *vs, uint8_t *data, size_t len)
-{
-    if (data[0] != 0 ||
-       data[1] != 2) {
-       VNC_DEBUG("Unsupported VeNCrypt protocol %d.%d\n", (int)data[0], (int)data[1]);
-       vnc_write_u8(vs, 1); /* Reject version */
-       vnc_flush(vs);
-       vnc_client_error(vs);
-    } else {
-       VNC_DEBUG("Sending allowed auth %d\n", vs->subauth);
-       vnc_write_u8(vs, 0); /* Accept version */
-       vnc_write_u8(vs, 1); /* Number of sub-auths */
-       vnc_write_u32(vs, vs->subauth); /* The supported auth */
-       vnc_flush(vs);
-       vnc_read_when(vs, protocol_client_vencrypt_auth, 4);
-    }
-    return 0;
-}
-
-static int start_auth_vencrypt(VncState *vs)
-{
-    /* Send VeNCrypt version 0.2 */
-    vnc_write_u8(vs, 0);
-    vnc_write_u8(vs, 2);
-
-    vnc_read_when(vs, protocol_client_vencrypt_init, 2);
-    return 0;
-}
-#endif /* CONFIG_VNC_TLS */
  
  static int protocol_client_auth(VncState *vs, uint8_t *data, size_t len)
  {
      /* We only advertise 1 auth scheme at a time, so client
       * must pick the one we sent. Verify this */
  
  static int protocol_client_auth(VncState *vs, uint8_t *data, size_t len)
  {
      /* We only advertise 1 auth scheme at a time, so client
       * must pick the one we sent. Verify this */
-    if (data[0] != vs->auth) { /* Reject auth */
-       VNC_DEBUG("Reject auth %d\n", (int)data[0]);
+    if (data[0] != vs->vd->auth) { /* Reject auth */
+       VNC_DEBUG("Reject auth %d because it didn't match advertized\n", (int)data[0]);
         vnc_write_u32(vs, 1);
         if (vs->minor >= 8) {
             static const char err[] = "Authentication failed";
         vnc_write_u32(vs, 1);
         if (vs->minor >= 8) {
             static const char err[] = "Authentication failed";
@@ -2014,28 +1975,37 @@ static int protocol_client_auth(VncState *vs, uint8_t *data, size_t len)
         vnc_client_error(vs);
      } else { /* Accept requested auth */
         VNC_DEBUG("Client requested auth %d\n", (int)data[0]);
         vnc_client_error(vs);
      } else { /* Accept requested auth */
         VNC_DEBUG("Client requested auth %d\n", (int)data[0]);
-       switch (vs->auth) {
+       switch (vs->vd->auth) {
         case VNC_AUTH_NONE:
             VNC_DEBUG("Accept auth none\n");
             if (vs->minor >= 8) {
                 vnc_write_u32(vs, 0); /* Accept auth completion */
                 vnc_flush(vs);
             }
         case VNC_AUTH_NONE:
             VNC_DEBUG("Accept auth none\n");
             if (vs->minor >= 8) {
                 vnc_write_u32(vs, 0); /* Accept auth completion */
                 vnc_flush(vs);
             }
-           vnc_read_when(vs, protocol_client_init, 1);
+           start_client_init(vs);
             break;
  
         case VNC_AUTH_VNC:
             VNC_DEBUG("Start VNC auth\n");
             break;
  
         case VNC_AUTH_VNC:
             VNC_DEBUG("Start VNC auth\n");
-           return start_auth_vnc(vs);
+           start_auth_vnc(vs);
+           break;
  
  #ifdef CONFIG_VNC_TLS
         case VNC_AUTH_VENCRYPT:
             VNC_DEBUG("Accept VeNCrypt auth\n");;
  
  #ifdef CONFIG_VNC_TLS
         case VNC_AUTH_VENCRYPT:
             VNC_DEBUG("Accept VeNCrypt auth\n");;
-           return start_auth_vencrypt(vs);
+           start_auth_vencrypt(vs);
+           break;
  #endif /* CONFIG_VNC_TLS */
  
  #endif /* CONFIG_VNC_TLS */
  
+#ifdef CONFIG_VNC_SASL
+       case VNC_AUTH_SASL:
+           VNC_DEBUG("Accept SASL auth\n");
+           start_auth_sasl(vs);
+           break;
+#endif /* CONFIG_VNC_SASL */
+
         default: /* Should not be possible, but just in case */
         default: /* Should not be possible, but just in case */
-           VNC_DEBUG("Reject auth %d\n", vs->auth);
+           VNC_DEBUG("Reject auth %d server code bug\n", vs->vd->auth);
             vnc_write_u8(vs, 1);
             if (vs->minor >= 8) {
                 static const char err[] = "Authentication failed";
             vnc_write_u8(vs, 1);
             if (vs->minor >= 8) {
                 static const char err[] = "Authentication failed";
@@ -2056,240 +2026,184 @@ static int protocol_version(VncState *vs, uint8_t *version, size_t len)
      local[12] = 0;
  
      if (sscanf(local, "RFB %03d.%03d\n", &vs->major, &vs->minor) != 2) {
      local[12] = 0;
  
      if (sscanf(local, "RFB %03d.%03d\n", &vs->major, &vs->minor) != 2) {
-       VNC_DEBUG("Malformed protocol version %s\n", local);
-       vnc_client_error(vs);
-       return 0;
+        VNC_DEBUG("Malformed protocol version %s\n", local);
+        vnc_client_error(vs);
+        return 0;
      }
      VNC_DEBUG("Client request protocol version %d.%d\n", vs->major, vs->minor);
      if (vs->major != 3 ||
      }
      VNC_DEBUG("Client request protocol version %d.%d\n", vs->major, vs->minor);
      if (vs->major != 3 ||
-       (vs->minor != 3 &&
-        vs->minor != 4 &&
-        vs->minor != 5 &&
-        vs->minor != 7 &&
-        vs->minor != 8)) {
-       VNC_DEBUG("Unsupported client version\n");
-       vnc_write_u32(vs, VNC_AUTH_INVALID);
-       vnc_flush(vs);
-       vnc_client_error(vs);
-       return 0;
+        (vs->minor != 3 &&
+         vs->minor != 4 &&
+         vs->minor != 5 &&
+         vs->minor != 7 &&
+         vs->minor != 8)) {
+        VNC_DEBUG("Unsupported client version\n");
+        vnc_write_u32(vs, VNC_AUTH_INVALID);
+        vnc_flush(vs);
+        vnc_client_error(vs);
+        return 0;
      }
      /* Some broken clients report v3.4 or v3.5, which spec requires to be treated
       * as equivalent to v3.3 by servers
       */
      if (vs->minor == 4 || vs->minor == 5)
      }
      /* Some broken clients report v3.4 or v3.5, which spec requires to be treated
       * as equivalent to v3.3 by servers
       */
      if (vs->minor == 4 || vs->minor == 5)
-       vs->minor = 3;
+        vs->minor = 3;
  
      if (vs->minor == 3) {
  
      if (vs->minor == 3) {
-       if (vs->auth == VNC_AUTH_NONE) {
+        if (vs->vd->auth == VNC_AUTH_NONE) {
              VNC_DEBUG("Tell client auth none\n");
              VNC_DEBUG("Tell client auth none\n");
-            vnc_write_u32(vs, vs->auth);
+            vnc_write_u32(vs, vs->vd->auth);
              vnc_flush(vs);
              vnc_flush(vs);
-            vnc_read_when(vs, protocol_client_init, 1);
-       } else if (vs->auth == VNC_AUTH_VNC) {
+            start_client_init(vs);
+       } else if (vs->vd->auth == VNC_AUTH_VNC) {
              VNC_DEBUG("Tell client VNC auth\n");
              VNC_DEBUG("Tell client VNC auth\n");
-            vnc_write_u32(vs, vs->auth);
+            vnc_write_u32(vs, vs->vd->auth);
              vnc_flush(vs);
              start_auth_vnc(vs);
         } else {
              vnc_flush(vs);
              start_auth_vnc(vs);
         } else {
-            VNC_DEBUG("Unsupported auth %d for protocol 3.3\n", vs->auth);
+            VNC_DEBUG("Unsupported auth %d for protocol 3.3\n", vs->vd->auth);
              vnc_write_u32(vs, VNC_AUTH_INVALID);
              vnc_flush(vs);
              vnc_client_error(vs);
         }
      } else {
              vnc_write_u32(vs, VNC_AUTH_INVALID);
              vnc_flush(vs);
              vnc_client_error(vs);
         }
      } else {
-       VNC_DEBUG("Telling client we support auth %d\n", vs->auth);
-       vnc_write_u8(vs, 1); /* num auth */
-       vnc_write_u8(vs, vs->auth);
-       vnc_read_when(vs, protocol_client_auth, 1);
-       vnc_flush(vs);
+        VNC_DEBUG("Telling client we support auth %d\n", vs->vd->auth);
+        vnc_write_u8(vs, 1); /* num auth */
+        vnc_write_u8(vs, vs->vd->auth);
+        vnc_read_when(vs, protocol_client_auth, 1);
+        vnc_flush(vs);
      }
  
      return 0;
  }
  
      }
  
      return 0;
  }
  
-static void vnc_connect(VncState *vs)
+static void vnc_connect(VncDisplay *vd, int csock)
  {
  {
-    VNC_DEBUG("New client on socket %d\n", vs->csock);
-    vs->ds->idle = 0;
+    VncState *vs = qemu_mallocz(sizeof(VncState));
+    vs->csock = csock;
+
+    VNC_DEBUG("New client on socket %d\n", csock);
+    dcl->idle = 0;
      socket_set_nonblock(vs->csock);
      qemu_set_fd_handler2(vs->csock, NULL, vnc_client_read, NULL, vs);
      socket_set_nonblock(vs->csock);
      qemu_set_fd_handler2(vs->csock, NULL, vnc_client_read, NULL, vs);
+
+    vs->vd = vd;
+    vs->ds = vd->ds;
+    vs->timer = qemu_new_timer(rt_clock, vnc_update_client, vs);
+    vs->last_x = -1;
+    vs->last_y = -1;
+
+    vs->as.freq = 44100;
+    vs->as.nchannels = 2;
+    vs->as.fmt = AUD_FMT_S16;
+    vs->as.endianness = 0;
+
+    vnc_resize(vs);
      vnc_write(vs, "RFB 003.008\n", 12);
      vnc_flush(vs);
      vnc_read_when(vs, protocol_version, 12);
      vnc_write(vs, "RFB 003.008\n", 12);
      vnc_flush(vs);
      vnc_read_when(vs, protocol_version, 12);
-    memset(vs->old_data, 0, ds_get_linesize(vs->ds) * ds_get_height(vs->ds));
-    memset(vs->dirty_row, 0xFF, sizeof(vs->dirty_row));
-    vs->has_resize = 0;
-    vs->has_hextile = 0;
-    vs->ds->dpy_copy = NULL;
+    reset_keys(vs);
+
+    vs->next = vd->clients;
+    vd->clients = vs;
+
      vnc_update_client(vs);
      vnc_update_client(vs);
+    /* vs might be free()ed here */
  }
  
  static void vnc_listen_read(void *opaque)
  {
  }
  
  static void vnc_listen_read(void *opaque)
  {
-    VncState *vs = opaque;
+    VncDisplay *vs = opaque;
      struct sockaddr_in addr;
      socklen_t addrlen = sizeof(addr);
  
      /* Catch-up */
      vga_hw_update();
  
      struct sockaddr_in addr;
      socklen_t addrlen = sizeof(addr);
  
      /* Catch-up */
      vga_hw_update();
  
-    vs->csock = accept(vs->lsock, (struct sockaddr *)&addr, &addrlen);
-    if (vs->csock != -1) {
-        vnc_connect(vs);
+    int csock = accept(vs->lsock, (struct sockaddr *)&addr, &addrlen);
+    if (csock != -1) {
+        vnc_connect(vs, csock);
      }
  }
  
  void vnc_display_init(DisplayState *ds)
  {
      }
  }
  
  void vnc_display_init(DisplayState *ds)
  {
-    VncState *vs;
+    VncDisplay *vs = qemu_mallocz(sizeof(*vs));
  
  
-    vs = qemu_mallocz(sizeof(VncState));
-    if (!vs)
-       exit(1);
+    dcl = qemu_mallocz(sizeof(DisplayChangeListener));
  
      ds->opaque = vs;
  
      ds->opaque = vs;
-    ds->idle = 1;
-    vnc_state = vs;
-    vs->display = NULL;
-    vs->password = NULL;
+    dcl->idle = 1;
+    vnc_display = vs;
  
      vs->lsock = -1;
  
      vs->lsock = -1;
-    vs->csock = -1;
-    vs->last_x = -1;
-    vs->last_y = -1;
  
      vs->ds = ds;
  
      if (keyboard_layout)
  
      vs->ds = ds;
  
      if (keyboard_layout)
-        vs->kbd_layout = init_keyboard_layout(keyboard_layout);
+        vs->kbd_layout = init_keyboard_layout(name2keysym, keyboard_layout);
      else
      else
-        vs->kbd_layout = init_keyboard_layout("en-us");
+        vs->kbd_layout = init_keyboard_layout(name2keysym, "en-us");
  
      if (!vs->kbd_layout)
  
      if (!vs->kbd_layout)
-       exit(1);
-
-    vs->timer = qemu_new_timer(rt_clock, vnc_update_client, vs);
-
-    vs->ds->data = NULL;
-    vs->ds->dpy_update = vnc_dpy_update;
-    vs->ds->dpy_resize = vnc_dpy_resize;
-    vs->ds->dpy_refresh = NULL;
-
-    vnc_colordepth(vs->ds, 32);
-    vnc_dpy_resize(vs->ds, 640, 400);
-}
-
-#ifdef CONFIG_VNC_TLS
-static int vnc_set_x509_credential(VncState *vs,
-                                  const char *certdir,
-                                  const char *filename,
-                                  char **cred,
-                                  int ignoreMissing)
-{
-    struct stat sb;
-
-    if (*cred) {
-       qemu_free(*cred);
-       *cred = NULL;
-    }
-
-    if (!(*cred = qemu_malloc(strlen(certdir) + strlen(filename) + 2)))
-       return -1;
+        exit(1);
  
  
-    strcpy(*cred, certdir);
-    strcat(*cred, "/");
-    strcat(*cred, filename);
-
-    VNC_DEBUG("Check %s\n", *cred);
-    if (stat(*cred, &sb) < 0) {
-       qemu_free(*cred);
-       *cred = NULL;
-       if (ignoreMissing && errno == ENOENT)
-           return 0;
-       return -1;
-    }
-
-    return 0;
+    dcl->dpy_copy = vnc_dpy_copy;
+    dcl->dpy_update = vnc_dpy_update;
+    dcl->dpy_resize = vnc_dpy_resize;
+    dcl->dpy_setdata = vnc_dpy_setdata;
+    register_displaychangelistener(ds, dcl);
  }
  
  }
  
-static int vnc_set_x509_credential_dir(VncState *vs,
-                                      const char *certdir)
-{
-    if (vnc_set_x509_credential(vs, certdir, X509_CA_CERT_FILE, &vs->x509cacert, 0) < 0)
-       goto cleanup;
-    if (vnc_set_x509_credential(vs, certdir, X509_CA_CRL_FILE, &vs->x509cacrl, 1) < 0)
-       goto cleanup;
-    if (vnc_set_x509_credential(vs, certdir, X509_SERVER_CERT_FILE, &vs->x509cert, 0) < 0)
-       goto cleanup;
-    if (vnc_set_x509_credential(vs, certdir, X509_SERVER_KEY_FILE, &vs->x509key, 0) < 0)
-       goto cleanup;
-
-    return 0;
-
- cleanup:
-    qemu_free(vs->x509cacert);
-    qemu_free(vs->x509cacrl);
-    qemu_free(vs->x509cert);
-    qemu_free(vs->x509key);
-    vs->x509cacert = vs->x509cacrl = vs->x509cert = vs->x509key = NULL;
-    return -1;
-}
-#endif /* CONFIG_VNC_TLS */
  
  void vnc_display_close(DisplayState *ds)
  {
  
  void vnc_display_close(DisplayState *ds)
  {
-    VncState *vs = ds ? (VncState *)ds->opaque : vnc_state;
+    VncDisplay *vs = ds ? (VncDisplay *)ds->opaque : vnc_display;
  
  
+    if (!vs)
+        return;
      if (vs->display) {
      if (vs->display) {
-       qemu_free(vs->display);
-       vs->display = NULL;
+        qemu_free(vs->display);
+        vs->display = NULL;
      }
      if (vs->lsock != -1) {
      }
      if (vs->lsock != -1) {
-       qemu_set_fd_handler2(vs->lsock, NULL, NULL, NULL, NULL);
-       close(vs->lsock);
-       vs->lsock = -1;
-    }
-    if (vs->csock != -1) {
-       qemu_set_fd_handler2(vs->csock, NULL, NULL, NULL, NULL);
-       closesocket(vs->csock);
-       vs->csock = -1;
-       buffer_reset(&vs->input);
-       buffer_reset(&vs->output);
-       vs->need_update = 0;
-#ifdef CONFIG_VNC_TLS
-       if (vs->tls_session) {
-           gnutls_deinit(vs->tls_session);
-           vs->tls_session = NULL;
-       }
-       vs->wiremode = VNC_WIREMODE_CLEAR;
-#endif /* CONFIG_VNC_TLS */
+        qemu_set_fd_handler2(vs->lsock, NULL, NULL, NULL, NULL);
+        close(vs->lsock);
+        vs->lsock = -1;
      }
      vs->auth = VNC_AUTH_INVALID;
  #ifdef CONFIG_VNC_TLS
      vs->subauth = VNC_AUTH_INVALID;
      }
      vs->auth = VNC_AUTH_INVALID;
  #ifdef CONFIG_VNC_TLS
      vs->subauth = VNC_AUTH_INVALID;
-    vs->x509verify = 0;
+    vs->tls.x509verify = 0;
  #endif
  }
  
  int vnc_display_password(DisplayState *ds, const char *password)
  {
  #endif
  }
  
  int vnc_display_password(DisplayState *ds, const char *password)
  {
-    VncState *vs = ds ? (VncState *)ds->opaque : vnc_state;
+    VncDisplay *vs = ds ? (VncDisplay *)ds->opaque : vnc_display;
  
      if (vs->password) {
  
      if (vs->password) {
-       qemu_free(vs->password);
-       vs->password = NULL;
+        qemu_free(vs->password);
+        vs->password = NULL;
      }
      if (password && password[0]) {
      }
      if (password && password[0]) {
-       if (!(vs->password = qemu_strdup(password)))
-           return -1;
+        if (!(vs->password = qemu_strdup(password)))
+            return -1;
      }
  
      return 0;
  }
  
      }
  
      return 0;
  }
  
+char *vnc_display_local_addr(DisplayState *ds)
+{
+    VncDisplay *vs = ds ? (VncDisplay *)ds->opaque : vnc_display;
+    
+    return vnc_socket_local_addr("%s:%s", vs->lsock);
+}
+
  int vnc_display_open(DisplayState *ds, const char *display)
  {
  int vnc_display_open(DisplayState *ds, const char *display)
  {
-    VncState *vs = ds ? (VncState *)ds->opaque : vnc_state;
+    VncDisplay *vs = ds ? (VncDisplay *)ds->opaque : vnc_display;
      const char *options;
      int password = 0;
      int reverse = 0;
      const char *options;
      int password = 0;
      int reverse = 0;
@@ -2297,99 +2211,176 @@ int vnc_display_open(DisplayState *ds, const char *display)
  #ifdef CONFIG_VNC_TLS
      int tls = 0, x509 = 0;
  #endif
  #ifdef CONFIG_VNC_TLS
      int tls = 0, x509 = 0;
  #endif
+#ifdef CONFIG_VNC_SASL
+    int sasl = 0;
+    int saslErr;
+#endif
+    int acl = 0;
  
  
+    if (!vnc_display)
+        return -1;
      vnc_display_close(ds);
      if (strcmp(display, "none") == 0)
      vnc_display_close(ds);
      if (strcmp(display, "none") == 0)
-       return 0;
+        return 0;
  
      if (!(vs->display = strdup(display)))
  
      if (!(vs->display = strdup(display)))
-       return -1;
+        return -1;
  
      options = display;
      while ((options = strchr(options, ','))) {
  
      options = display;
      while ((options = strchr(options, ','))) {
-       options++;
-       if (strncmp(options, "password", 8) == 0) {
-           password = 1; /* Require password auth */
-       } else if (strncmp(options, "reverse", 7) == 0) {
-           reverse = 1;
-       } else if (strncmp(options, "to=", 3) == 0) {
+        options++;
+        if (strncmp(options, "password", 8) == 0) {
+            password = 1; /* Require password auth */
+        } else if (strncmp(options, "reverse", 7) == 0) {
+            reverse = 1;
+        } else if (strncmp(options, "to=", 3) == 0) {
              to_port = atoi(options+3) + 5900;
              to_port = atoi(options+3) + 5900;
+#ifdef CONFIG_VNC_SASL
+        } else if (strncmp(options, "sasl", 4) == 0) {
+            sasl = 1; /* Require SASL auth */
+#endif
  #ifdef CONFIG_VNC_TLS
  #ifdef CONFIG_VNC_TLS
-       } else if (strncmp(options, "tls", 3) == 0) {
-           tls = 1; /* Require TLS */
-       } else if (strncmp(options, "x509", 4) == 0) {
-           char *start, *end;
-           x509 = 1; /* Require x509 certificates */
-           if (strncmp(options, "x509verify", 10) == 0)
-               vs->x509verify = 1; /* ...and verify client certs */
-
-           /* Now check for 'x509=/some/path' postfix
-            * and use that to setup x509 certificate/key paths */
-           start = strchr(options, '=');
-           end = strchr(options, ',');
-           if (start && (!end || (start < end))) {
-               int len = end ? end-(start+1) : strlen(start+1);
-               char *path = qemu_strndup(start + 1, len);
-
-               VNC_DEBUG("Trying certificate path '%s'\n", path);
-               if (vnc_set_x509_credential_dir(vs, path) < 0) {
-                   fprintf(stderr, "Failed to find x509 certificates/keys in %s\n", path);
-                   qemu_free(path);
-                   qemu_free(vs->display);
-                   vs->display = NULL;
-                   return -1;
-               }
-               qemu_free(path);
-           } else {
-               fprintf(stderr, "No certificate path provided\n");
-               qemu_free(vs->display);
-               vs->display = NULL;
-               return -1;
-           }
+        } else if (strncmp(options, "tls", 3) == 0) {
+            tls = 1; /* Require TLS */
+        } else if (strncmp(options, "x509", 4) == 0) {
+            char *start, *end;
+            x509 = 1; /* Require x509 certificates */
+            if (strncmp(options, "x509verify", 10) == 0)
+                vs->tls.x509verify = 1; /* ...and verify client certs */
+
+            /* Now check for 'x509=/some/path' postfix
+             * and use that to setup x509 certificate/key paths */
+            start = strchr(options, '=');
+            end = strchr(options, ',');
+            if (start && (!end || (start < end))) {
+                int len = end ? end-(start+1) : strlen(start+1);
+                char *path = qemu_strndup(start + 1, len);
+
+                VNC_DEBUG("Trying certificate path '%s'\n", path);
+                if (vnc_tls_set_x509_creds_dir(vs, path) < 0) {
+                    fprintf(stderr, "Failed to find x509 certificates/keys in %s\n", path);
+                    qemu_free(path);
+                    qemu_free(vs->display);
+                    vs->display = NULL;
+                    return -1;
+                }
+                qemu_free(path);
+            } else {
+                fprintf(stderr, "No certificate path provided\n");
+                qemu_free(vs->display);
+                vs->display = NULL;
+                return -1;
+            }
  #endif
  #endif
-       }
+        } else if (strncmp(options, "acl", 3) == 0) {
+            acl = 1;
+        }
      }
  
      }
  
-    if (password) {
  #ifdef CONFIG_VNC_TLS
  #ifdef CONFIG_VNC_TLS
-       if (tls) {
-           vs->auth = VNC_AUTH_VENCRYPT;
-           if (x509) {
-               VNC_DEBUG("Initializing VNC server with x509 password auth\n");
-               vs->subauth = VNC_AUTH_VENCRYPT_X509VNC;
-           } else {
-               VNC_DEBUG("Initializing VNC server with TLS password auth\n");
-               vs->subauth = VNC_AUTH_VENCRYPT_TLSVNC;
-           }
-       } else {
+    if (acl && x509 && vs->tls.x509verify) {
+        if (!(vs->tls.acl = qemu_acl_init("vnc.x509dname"))) {
+            fprintf(stderr, "Failed to create x509 dname ACL\n");
+            exit(1);
+        }
+    }
  #endif
  #endif
-           VNC_DEBUG("Initializing VNC server with password auth\n");
-           vs->auth = VNC_AUTH_VNC;
-#ifdef CONFIG_VNC_TLS
-           vs->subauth = VNC_AUTH_INVALID;
-       }
+#ifdef CONFIG_VNC_SASL
+    if (acl && sasl) {
+        if (!(vs->sasl.acl = qemu_acl_init("vnc.username"))) {
+            fprintf(stderr, "Failed to create username ACL\n");
+            exit(1);
+        }
+    }
  #endif
  #endif
+
+    /*
+     * Combinations we support here:
+     *
+     *  - no-auth                (clear text, no auth)
+     *  - password               (clear text, weak auth)
+     *  - sasl                   (encrypt, good auth *IF* using Kerberos via GSSAPI)
+     *  - tls                    (encrypt, weak anonymous creds, no auth)
+     *  - tls + password         (encrypt, weak anonymous creds, weak auth)
+     *  - tls + sasl             (encrypt, weak anonymous creds, good auth)
+     *  - tls + x509             (encrypt, good x509 creds, no auth)
+     *  - tls + x509 + password  (encrypt, good x509 creds, weak auth)
+     *  - tls + x509 + sasl      (encrypt, good x509 creds, good auth)
+     *
+     * NB1. TLS is a stackable auth scheme.
+     * NB2. the x509 schemes have option to validate a client cert dname
+     */
+    if (password) {
+#ifdef CONFIG_VNC_TLS
+        if (tls) {
+            vs->auth = VNC_AUTH_VENCRYPT;
+            if (x509) {
+                VNC_DEBUG("Initializing VNC server with x509 password auth\n");
+                vs->subauth = VNC_AUTH_VENCRYPT_X509VNC;
+            } else {
+                VNC_DEBUG("Initializing VNC server with TLS password auth\n");
+                vs->subauth = VNC_AUTH_VENCRYPT_TLSVNC;
+            }
+        } else {
+#endif /* CONFIG_VNC_TLS */
+            VNC_DEBUG("Initializing VNC server with password auth\n");
+            vs->auth = VNC_AUTH_VNC;
+#ifdef CONFIG_VNC_TLS
+            vs->subauth = VNC_AUTH_INVALID;
+        }
+#endif /* CONFIG_VNC_TLS */
+#ifdef CONFIG_VNC_SASL
+    } else if (sasl) {
+#ifdef CONFIG_VNC_TLS
+        if (tls) {
+            vs->auth = VNC_AUTH_VENCRYPT;
+            if (x509) {
+                VNC_DEBUG("Initializing VNC server with x509 SASL auth\n");
+                vs->subauth = VNC_AUTH_VENCRYPT_X509SASL;
+            } else {
+                VNC_DEBUG("Initializing VNC server with TLS SASL auth\n");
+                vs->subauth = VNC_AUTH_VENCRYPT_TLSSASL;
+            }
+        } else {
+#endif /* CONFIG_VNC_TLS */
+            VNC_DEBUG("Initializing VNC server with SASL auth\n");
+            vs->auth = VNC_AUTH_SASL;
+#ifdef CONFIG_VNC_TLS
+            vs->subauth = VNC_AUTH_INVALID;
+        }
+#endif /* CONFIG_VNC_TLS */
+#endif /* CONFIG_VNC_SASL */
      } else {
  #ifdef CONFIG_VNC_TLS
      } else {
  #ifdef CONFIG_VNC_TLS
-       if (tls) {
-           vs->auth = VNC_AUTH_VENCRYPT;
-           if (x509) {
-               VNC_DEBUG("Initializing VNC server with x509 no auth\n");
-               vs->subauth = VNC_AUTH_VENCRYPT_X509NONE;
-           } else {
-               VNC_DEBUG("Initializing VNC server with TLS no auth\n");
-               vs->subauth = VNC_AUTH_VENCRYPT_TLSNONE;
-           }
-       } else {
+        if (tls) {
+            vs->auth = VNC_AUTH_VENCRYPT;
+            if (x509) {
+                VNC_DEBUG("Initializing VNC server with x509 no auth\n");
+                vs->subauth = VNC_AUTH_VENCRYPT_X509NONE;
+            } else {
+                VNC_DEBUG("Initializing VNC server with TLS no auth\n");
+                vs->subauth = VNC_AUTH_VENCRYPT_TLSNONE;
+            }
+        } else {
  #endif
  #endif
-           VNC_DEBUG("Initializing VNC server with no auth\n");
-           vs->auth = VNC_AUTH_NONE;
+            VNC_DEBUG("Initializing VNC server with no auth\n");
+            vs->auth = VNC_AUTH_NONE;
  #ifdef CONFIG_VNC_TLS
  #ifdef CONFIG_VNC_TLS
-           vs->subauth = VNC_AUTH_INVALID;
-       }
+            vs->subauth = VNC_AUTH_INVALID;
+        }
  #endif
      }
  
  #endif
      }
  
+#ifdef CONFIG_VNC_SASL
+    if ((saslErr = sasl_server_init(NULL, "qemu")) != SASL_OK) {
+        fprintf(stderr, "Failed to initialize SASL auth %s",
+                sasl_errstring(saslErr, NULL, NULL));
+        free(vs->display);
+        vs->display = NULL;
+        return -1;
+    }
+#endif
+
      if (reverse) {
          /* connect to viewer */
          if (strncmp(display, "unix:", 5) == 0)
      if (reverse) {
          /* connect to viewer */
          if (strncmp(display, "unix:", 5) == 0)
@@ -2401,9 +2392,9 @@ int vnc_display_open(DisplayState *ds, const char *display)
              vs->display = NULL;
              return -1;
          } else {
              vs->display = NULL;
              return -1;
          } else {
-            vs->csock = vs->lsock;
+            int csock = vs->lsock;
              vs->lsock = -1;
              vs->lsock = -1;
-            vnc_connect(vs);
+            vnc_connect(vs, csock);
          }
          return 0;
  
          }
          return 0;
  
@@ -2412,8 +2403,8 @@ int vnc_display_open(DisplayState *ds, const char *display)
          char *dpy;
          dpy = qemu_malloc(256);
          if (strncmp(display, "unix:", 5) == 0) {
          char *dpy;
          dpy = qemu_malloc(256);
          if (strncmp(display, "unix:", 5) == 0) {
-            strcpy(dpy, "unix:");
-            vs->lsock = unix_listen(display, dpy+5, 256-5);
+            pstrcpy(dpy, 256, "unix:");
+            vs->lsock = unix_listen(display+5, dpy+5, 256-5);
          } else {
              vs->lsock = inet_listen(display, dpy, 256, SOCK_STREAM, 5900);
          }
          } else {
              vs->lsock = inet_listen(display, dpy, 256, SOCK_STREAM, 5900);
          }
@@ -2425,6 +2416,5 @@ int vnc_display_open(DisplayState *ds, const char *display)
              vs->display = dpy;
          }
      }
              vs->display = dpy;
          }
      }
-
-    return qemu_set_fd_handler2(vs->lsock, vnc_listen_poll, vnc_listen_read, NULL, vs);
+    return qemu_set_fd_handler2(vs->lsock, NULL, vnc_listen_read, NULL, vs);
  }
  }