backend-vnc: enable TLS support

Add TLS key and certificate parameters to enable encryption support. Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
2024-07-01 07:14:39 +00:00 · 2022-10-06 12:18:04 +02:00 · 2022-10-06 12:18:04 +02:00 · 1a027e63cb
commit 1a027e63cb
parent 9a386f5de5
4 changed files with 62 additions and 3 deletions
--- a/compositor/main.c
+++ b/compositor/main.c
@ -729,6 +729,8 @@ usage(int error_code)
 		"  --width=WIDTH\t\tWidth of desktop\n"
 		"  --height=HEIGHT\tHeight of desktop\n"
 		"  --port=PORT\t\tThe port to listen on\n"
+		"  --vnc-tls-cert=FILE\tThe file containing the certificate for TLS encryption\n"
+		"  --vnc-tls-key=FILE\tThe file containing the private key for TLS encryption\n"
 		"\n");
 #endif

@ -3184,6 +3186,8 @@ load_vnc_backend(struct weston_compositor *c,
 		{ WESTON_OPTION_INTEGER, "height", 0, &parsed_options->height },
 		{ WESTON_OPTION_STRING,  "address", 0, &config.bind_address },
 		{ WESTON_OPTION_INTEGER, "port", 0, &config.port },
+		{ WESTON_OPTION_STRING,  "vnc-tls-cert", 0, &config.server_cert },
+		{ WESTON_OPTION_STRING,  "vnc-tls-key", 0, &config.server_key },
 	};

 	parse_options(vnc_options, ARRAY_LENGTH(vnc_options), argc, argv);
@ -3198,6 +3202,8 @@ load_vnc_backend(struct weston_compositor *c,
 					     &config.base);

 	free(config.bind_address);
+	free(config.server_cert);
+	free(config.server_key);

 	return ret;
 }
--- a/include/libweston/backend-vnc.h
+++ b/include/libweston/backend-vnc.h
@ -62,6 +62,8 @@ struct weston_vnc_backend_config {
 	char *bind_address;
 	int port;
 	int refresh_rate;
+	char *server_cert;
+	char *server_key;
 };

 #ifdef  __cplusplus
--- a/libweston/backend-vnc/vnc.c
+++ b/libweston/backend-vnc/vnc.c
@ -997,6 +997,30 @@ vnc_backend_create(struct weston_compositor *compositor,
 	nvnc_set_userdata(backend->server, backend, NULL);
 	nvnc_set_name(backend->server, "Weston VNC backend");

+	if (config->server_cert || config->server_key) {
+		if (!nvnc_has_auth()) {
+			weston_log("Neat VNC built without TLS support\n");
+			goto err_output;
+		}
+		if (!config->server_cert) {
+			weston_log("Missing TLS certificate (--vnc-tls-cert)\n");
+			goto err_output;
+		}
+		if (!config->server_key) {
+			weston_log("Missing TLS key (--vnc-tls-key)\n");
+			goto err_output;
+		}
+
+		ret = nvnc_enable_auth(backend->server, config->server_key,
+				       config->server_cert, NULL, NULL);
+		if (ret) {
+			weston_log("Failed to enable TLS support\n");
+			goto err_output;
+		}
+
+		weston_log("TLS support activated\n");
+	}
+
 	ret = weston_plugin_api_register(compositor, WESTON_VNC_OUTPUT_API_NAME,
 					 &api, sizeof(api));
 	if (ret < 0) {
--- a/man/weston-vnc.man
+++ b/man/weston-vnc.man
@ -19,9 +19,8 @@ the graphical content, depending on what is supported by the VNC client.
 The VNC backend is not multi-seat aware, so if a second client connects to the
 backend, the first client will be disconnected.

-Note that authentication and encryption are not supported yet. Anyone with
-access to the port can get control of the desktop via the VNC output, and
-all data is transferred in plaintext.
+Note that authentication is not supported yet. Anyone with access to the port
+can get control of the desktop via the VNC output.

 .\" ***************************************************************
 .SH CONFIGURATION
@ -50,7 +49,35 @@ The height of the framebuffer. It defaults to 480.
 .TP
 \fB\-\-port\fR=\fIport\fR
 The TCP port to listen on for connections. It defaults to 5900.
+.TP
+\fB\-\-vnc\-tls\-key\fR=\fIfile\fR
+The file containing the key for doing TLS security. To have TLS security you also need
+to ship a file containing a certificate.
+.TP
+\fB\-\-vnc\-tls\-cert\fR=\fIfile\fR
+The file containing the certificate for doing TLS security. To have TLS security you also need
+to ship a key file.

+
+.\" ***************************************************************
+.SH Generating cryptographic material for the VNC backend
+.
+You can generate a key and certificate file to use with TLS security using typical
+.B openssl
+invocations:
+
+.nf
+$ openssl genrsa -out tls.key 2048
+Generating RSA private key, 2048 bit long modulus
+[...]
+$ openssl req -new -key tls.key -out tls.csr
+[...]
+$ openssl x509 -req -days 365 -signkey tls.key -in tls.csr -out tls.crt
+[...]
+.fi
+
+You will get the tls.key and tls.crt files to use with the VNC backend.
+.
 .\" ***************************************************************
 .SH "SEE ALSO"
 .BR weston (1)