1From fa768720e76360248ac125ecab2efe515d573eb3 Mon Sep 17 00:00:00 2001 2From: Philipp Zabel <p.zabel@pengutronix.de> 3Date: Thu, 6 Oct 2022 12:18:04 +0200 4Subject: [PATCH 88/93] backend-vnc: enable TLS support 5 6Add TLS key and certificate parameters to enable encryption support. 7 8Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de> 9(cherry picked from commit 1a027e63cb4dda7a7483034e89314bd8b064ed1b) 10Signed-off-by: Jeffy Chen <jeffy.chen@rock-chips.com> 11--- 12 compositor/main.c | 6 ++++++ 13 include/libweston/backend-vnc.h | 2 ++ 14 libweston/backend-vnc/vnc.c | 24 ++++++++++++++++++++++++ 15 man/weston-vnc.man | 33 ++++++++++++++++++++++++++++++--- 16 4 files changed, 62 insertions(+), 3 deletions(-) 17 18diff --git a/compositor/main.c b/compositor/main.c 19index e30f27e..ed5c818 100644 20--- a/compositor/main.c 21+++ b/compositor/main.c 22@@ -730,6 +730,8 @@ usage(int error_code) 23 " --width=WIDTH\t\tWidth of desktop\n" 24 " --height=HEIGHT\tHeight of desktop\n" 25 " --port=PORT\t\tThe port to listen on\n" 26+ " --vnc-tls-cert=FILE\tThe file containing the certificate for TLS encryption\n" 27+ " --vnc-tls-key=FILE\tThe file containing the private key for TLS encryption\n" 28 "\n"); 29 #endif 30 31@@ -3253,6 +3255,8 @@ load_vnc_backend(struct weston_compositor *c, 32 { WESTON_OPTION_INTEGER, "height", 0, &parsed_options->height }, 33 { WESTON_OPTION_STRING, "address", 0, &config.bind_address }, 34 { WESTON_OPTION_INTEGER, "port", 0, &config.port }, 35+ { WESTON_OPTION_STRING, "vnc-tls-cert", 0, &config.server_cert }, 36+ { WESTON_OPTION_STRING, "vnc-tls-key", 0, &config.server_key }, 37 }; 38 39 parse_options(vnc_options, ARRAY_LENGTH(vnc_options), argc, argv); 40@@ -3267,6 +3271,8 @@ load_vnc_backend(struct weston_compositor *c, 41 &config.base); 42 43 free(config.bind_address); 44+ free(config.server_cert); 45+ free(config.server_key); 46 47 return ret; 48 } 49diff --git a/include/libweston/backend-vnc.h b/include/libweston/backend-vnc.h 50index 0085df5..3495c0e 100644 51--- a/include/libweston/backend-vnc.h 52+++ b/include/libweston/backend-vnc.h 53@@ -62,6 +62,8 @@ struct weston_vnc_backend_config { 54 char *bind_address; 55 int port; 56 int refresh_rate; 57+ char *server_cert; 58+ char *server_key; 59 }; 60 61 #ifdef __cplusplus 62diff --git a/libweston/backend-vnc/vnc.c b/libweston/backend-vnc/vnc.c 63index 190fe92..e57e377 100644 64--- a/libweston/backend-vnc/vnc.c 65+++ b/libweston/backend-vnc/vnc.c 66@@ -997,6 +997,30 @@ vnc_backend_create(struct weston_compositor *compositor, 67 nvnc_set_userdata(backend->server, backend, NULL); 68 nvnc_set_name(backend->server, "Weston VNC backend"); 69 70+ if (config->server_cert || config->server_key) { 71+ if (!nvnc_has_auth()) { 72+ weston_log("Neat VNC built without TLS support\n"); 73+ goto err_output; 74+ } 75+ if (!config->server_cert) { 76+ weston_log("Missing TLS certificate (--vnc-tls-cert)\n"); 77+ goto err_output; 78+ } 79+ if (!config->server_key) { 80+ weston_log("Missing TLS key (--vnc-tls-key)\n"); 81+ goto err_output; 82+ } 83+ 84+ ret = nvnc_enable_auth(backend->server, config->server_key, 85+ config->server_cert, NULL, NULL); 86+ if (ret) { 87+ weston_log("Failed to enable TLS support\n"); 88+ goto err_output; 89+ } 90+ 91+ weston_log("TLS support activated\n"); 92+ } 93+ 94 ret = weston_plugin_api_register(compositor, WESTON_VNC_OUTPUT_API_NAME, 95 &api, sizeof(api)); 96 if (ret < 0) { 97diff --git a/man/weston-vnc.man b/man/weston-vnc.man 98index 6491097..582fe28 100644 99--- a/man/weston-vnc.man 100+++ b/man/weston-vnc.man 101@@ -19,9 +19,8 @@ the graphical content, depending on what is supported by the VNC client. 102 The VNC backend is not multi-seat aware, so if a second client connects to the 103 backend, the first client will be disconnected. 104 105-Note that authentication and encryption are not supported yet. Anyone with 106-access to the port can get control of the desktop via the VNC output, and 107-all data is transferred in plaintext. 108+Note that authentication is not supported yet. Anyone with access to the port 109+can get control of the desktop via the VNC output. 110 111 .\" *************************************************************** 112 .SH CONFIGURATION 113@@ -50,7 +49,35 @@ The height of the framebuffer. It defaults to 480. 114 .TP 115 \fB\-\-port\fR=\fIport\fR 116 The TCP port to listen on for connections. It defaults to 5900. 117+.TP 118+\fB\-\-vnc\-tls\-key\fR=\fIfile\fR 119+The file containing the key for doing TLS security. To have TLS security you also need 120+to ship a file containing a certificate. 121+.TP 122+\fB\-\-vnc\-tls\-cert\fR=\fIfile\fR 123+The file containing the certificate for doing TLS security. To have TLS security you also need 124+to ship a key file. 125+ 126+ 127+.\" *************************************************************** 128+.SH Generating cryptographic material for the VNC backend 129+. 130+You can generate a key and certificate file to use with TLS security using typical 131+.B openssl 132+invocations: 133 134+.nf 135+$ openssl genrsa -out tls.key 2048 136+Generating RSA private key, 2048 bit long modulus 137+[...] 138+$ openssl req -new -key tls.key -out tls.csr 139+[...] 140+$ openssl x509 -req -days 365 -signkey tls.key -in tls.csr -out tls.crt 141+[...] 142+.fi 143+ 144+You will get the tls.key and tls.crt files to use with the VNC backend. 145+. 146 .\" *************************************************************** 147 .SH "SEE ALSO" 148 .BR weston (1) 149-- 1502.20.1 151 152