From 1a027e63cb4dda7a7483034e89314bd8b064ed1b Mon Sep 17 00:00:00 2001
From: Philipp Zabel
Date: Thu, 6 Oct 2022 12:18:04 +0200
Subject: [PATCH] backend-vnc: enable TLS support
Add TLS key and certificate parameters to enable encryption support.
Signed-off-by: Philipp Zabel
---
compositor/main.c | 6 ++++++
include/libweston/backend-vnc.h | 2 ++
libweston/backend-vnc/vnc.c | 24 ++++++++++++++++++++++++
man/weston-vnc.man | 33 ++++++++++++++++++++++++++++++---
4 files changed, 62 insertions(+), 3 deletions(-)
diff --git a/compositor/main.c b/compositor/main.c
index e93d551b..a14c3f34 100644
--- a/compositor/main.c
+++ b/compositor/main.c
@@ -729,6 +729,8 @@ usage(int error_code)
" --width=WIDTH\t\tWidth of desktop\n"
" --height=HEIGHT\tHeight of desktop\n"
" --port=PORT\t\tThe port to listen on\n"
+ " --vnc-tls-cert=FILE\tThe file containing the certificate for TLS encryption\n"
+ " --vnc-tls-key=FILE\tThe file containing the private key for TLS encryption\n"
"\n");
#endif
@@ -3184,6 +3186,8 @@ load_vnc_backend(struct weston_compositor *c,
{ WESTON_OPTION_INTEGER, "height", 0, &parsed_options->height },
{ WESTON_OPTION_STRING, "address", 0, &config.bind_address },
{ WESTON_OPTION_INTEGER, "port", 0, &config.port },
+ { WESTON_OPTION_STRING, "vnc-tls-cert", 0, &config.server_cert },
+ { WESTON_OPTION_STRING, "vnc-tls-key", 0, &config.server_key },
};
parse_options(vnc_options, ARRAY_LENGTH(vnc_options), argc, argv);
@@ -3198,6 +3202,8 @@ load_vnc_backend(struct weston_compositor *c,
&config.base);
free(config.bind_address);
+ free(config.server_cert);
+ free(config.server_key);
return ret;
}
diff --git a/include/libweston/backend-vnc.h b/include/libweston/backend-vnc.h
index 0085df5f..3495c0e4 100644
--- a/include/libweston/backend-vnc.h
+++ b/include/libweston/backend-vnc.h
@@ -62,6 +62,8 @@ struct weston_vnc_backend_config {
char *bind_address;
int port;
int refresh_rate;
+ char *server_cert;
+ char *server_key;
};
#ifdef __cplusplus
diff --git a/libweston/backend-vnc/vnc.c b/libweston/backend-vnc/vnc.c
index 190fe92a..e57e3775 100644
--- a/libweston/backend-vnc/vnc.c
+++ b/libweston/backend-vnc/vnc.c
@@ -997,6 +997,30 @@ vnc_backend_create(struct weston_compositor *compositor,
nvnc_set_userdata(backend->server, backend, NULL);
nvnc_set_name(backend->server, "Weston VNC backend");
+ if (config->server_cert || config->server_key) {
+ if (!nvnc_has_auth()) {
+ weston_log("Neat VNC built without TLS support\n");
+ goto err_output;
+ }
+ if (!config->server_cert) {
+ weston_log("Missing TLS certificate (--vnc-tls-cert)\n");
+ goto err_output;
+ }
+ if (!config->server_key) {
+ weston_log("Missing TLS key (--vnc-tls-key)\n");
+ goto err_output;
+ }
+
+ ret = nvnc_enable_auth(backend->server, config->server_key,
+ config->server_cert, NULL, NULL);
+ if (ret) {
+ weston_log("Failed to enable TLS support\n");
+ goto err_output;
+ }
+
+ weston_log("TLS support activated\n");
+ }
+
ret = weston_plugin_api_register(compositor, WESTON_VNC_OUTPUT_API_NAME,
&api, sizeof(api));
if (ret < 0) {
diff --git a/man/weston-vnc.man b/man/weston-vnc.man
index 64910972..582fe28f 100644
--- a/man/weston-vnc.man
+++ b/man/weston-vnc.man
@@ -19,9 +19,8 @@ the graphical content, depending on what is supported by the VNC client.
The VNC backend is not multi-seat aware, so if a second client connects to the
backend, the first client will be disconnected.
-Note that authentication and encryption are not supported yet. Anyone with
-access to the port can get control of the desktop via the VNC output, and
-all data is transferred in plaintext.
+Note that authentication is not supported yet. Anyone with access to the port
+can get control of the desktop via the VNC output.
.\" ***************************************************************
.SH CONFIGURATION
@@ -50,7 +49,35 @@ The height of the framebuffer. It defaults to 480.
.TP
\fB\-\-port\fR=\fIport\fR
The TCP port to listen on for connections. It defaults to 5900.
+.TP
+\fB\-\-vnc\-tls\-key\fR=\fIfile\fR
+The file containing the key for doing TLS security. To have TLS security you also need
+to ship a file containing a certificate.
+.TP
+\fB\-\-vnc\-tls\-cert\fR=\fIfile\fR
+The file containing the certificate for doing TLS security. To have TLS security you also need
+to ship a key file.
+
+.\" ***************************************************************
+.SH Generating cryptographic material for the VNC backend
+.
+You can generate a key and certificate file to use with TLS security using typical
+.B openssl
+invocations:
+
+.nf
+$ openssl genrsa -out tls.key 2048
+Generating RSA private key, 2048 bit long modulus
+[...]
+$ openssl req -new -key tls.key -out tls.csr
+[...]
+$ openssl x509 -req -days 365 -signkey tls.key -in tls.csr -out tls.crt
+[...]
+.fi
+
+You will get the tls.key and tls.crt files to use with the VNC backend.
+.
.\" ***************************************************************
.SH "SEE ALSO"
.BR weston (1)