backend-vnc: enable TLS support
Add TLS key and certificate parameters to enable encryption support. Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
This commit is contained in:
parent
9a386f5de5
commit
1a027e63cb
|
@ -729,6 +729,8 @@ usage(int error_code)
|
||||||
" --width=WIDTH\t\tWidth of desktop\n"
|
" --width=WIDTH\t\tWidth of desktop\n"
|
||||||
" --height=HEIGHT\tHeight of desktop\n"
|
" --height=HEIGHT\tHeight of desktop\n"
|
||||||
" --port=PORT\t\tThe port to listen on\n"
|
" --port=PORT\t\tThe port to listen on\n"
|
||||||
|
" --vnc-tls-cert=FILE\tThe file containing the certificate for TLS encryption\n"
|
||||||
|
" --vnc-tls-key=FILE\tThe file containing the private key for TLS encryption\n"
|
||||||
"\n");
|
"\n");
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
@ -3184,6 +3186,8 @@ load_vnc_backend(struct weston_compositor *c,
|
||||||
{ WESTON_OPTION_INTEGER, "height", 0, &parsed_options->height },
|
{ WESTON_OPTION_INTEGER, "height", 0, &parsed_options->height },
|
||||||
{ WESTON_OPTION_STRING, "address", 0, &config.bind_address },
|
{ WESTON_OPTION_STRING, "address", 0, &config.bind_address },
|
||||||
{ WESTON_OPTION_INTEGER, "port", 0, &config.port },
|
{ WESTON_OPTION_INTEGER, "port", 0, &config.port },
|
||||||
|
{ WESTON_OPTION_STRING, "vnc-tls-cert", 0, &config.server_cert },
|
||||||
|
{ WESTON_OPTION_STRING, "vnc-tls-key", 0, &config.server_key },
|
||||||
};
|
};
|
||||||
|
|
||||||
parse_options(vnc_options, ARRAY_LENGTH(vnc_options), argc, argv);
|
parse_options(vnc_options, ARRAY_LENGTH(vnc_options), argc, argv);
|
||||||
|
@ -3198,6 +3202,8 @@ load_vnc_backend(struct weston_compositor *c,
|
||||||
&config.base);
|
&config.base);
|
||||||
|
|
||||||
free(config.bind_address);
|
free(config.bind_address);
|
||||||
|
free(config.server_cert);
|
||||||
|
free(config.server_key);
|
||||||
|
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
|
@ -62,6 +62,8 @@ struct weston_vnc_backend_config {
|
||||||
char *bind_address;
|
char *bind_address;
|
||||||
int port;
|
int port;
|
||||||
int refresh_rate;
|
int refresh_rate;
|
||||||
|
char *server_cert;
|
||||||
|
char *server_key;
|
||||||
};
|
};
|
||||||
|
|
||||||
#ifdef __cplusplus
|
#ifdef __cplusplus
|
||||||
|
|
|
@ -997,6 +997,30 @@ vnc_backend_create(struct weston_compositor *compositor,
|
||||||
nvnc_set_userdata(backend->server, backend, NULL);
|
nvnc_set_userdata(backend->server, backend, NULL);
|
||||||
nvnc_set_name(backend->server, "Weston VNC backend");
|
nvnc_set_name(backend->server, "Weston VNC backend");
|
||||||
|
|
||||||
|
if (config->server_cert || config->server_key) {
|
||||||
|
if (!nvnc_has_auth()) {
|
||||||
|
weston_log("Neat VNC built without TLS support\n");
|
||||||
|
goto err_output;
|
||||||
|
}
|
||||||
|
if (!config->server_cert) {
|
||||||
|
weston_log("Missing TLS certificate (--vnc-tls-cert)\n");
|
||||||
|
goto err_output;
|
||||||
|
}
|
||||||
|
if (!config->server_key) {
|
||||||
|
weston_log("Missing TLS key (--vnc-tls-key)\n");
|
||||||
|
goto err_output;
|
||||||
|
}
|
||||||
|
|
||||||
|
ret = nvnc_enable_auth(backend->server, config->server_key,
|
||||||
|
config->server_cert, NULL, NULL);
|
||||||
|
if (ret) {
|
||||||
|
weston_log("Failed to enable TLS support\n");
|
||||||
|
goto err_output;
|
||||||
|
}
|
||||||
|
|
||||||
|
weston_log("TLS support activated\n");
|
||||||
|
}
|
||||||
|
|
||||||
ret = weston_plugin_api_register(compositor, WESTON_VNC_OUTPUT_API_NAME,
|
ret = weston_plugin_api_register(compositor, WESTON_VNC_OUTPUT_API_NAME,
|
||||||
&api, sizeof(api));
|
&api, sizeof(api));
|
||||||
if (ret < 0) {
|
if (ret < 0) {
|
||||||
|
|
|
@ -19,9 +19,8 @@ the graphical content, depending on what is supported by the VNC client.
|
||||||
The VNC backend is not multi-seat aware, so if a second client connects to the
|
The VNC backend is not multi-seat aware, so if a second client connects to the
|
||||||
backend, the first client will be disconnected.
|
backend, the first client will be disconnected.
|
||||||
|
|
||||||
Note that authentication and encryption are not supported yet. Anyone with
|
Note that authentication is not supported yet. Anyone with access to the port
|
||||||
access to the port can get control of the desktop via the VNC output, and
|
can get control of the desktop via the VNC output.
|
||||||
all data is transferred in plaintext.
|
|
||||||
|
|
||||||
.\" ***************************************************************
|
.\" ***************************************************************
|
||||||
.SH CONFIGURATION
|
.SH CONFIGURATION
|
||||||
|
@ -50,7 +49,35 @@ The height of the framebuffer. It defaults to 480.
|
||||||
.TP
|
.TP
|
||||||
\fB\-\-port\fR=\fIport\fR
|
\fB\-\-port\fR=\fIport\fR
|
||||||
The TCP port to listen on for connections. It defaults to 5900.
|
The TCP port to listen on for connections. It defaults to 5900.
|
||||||
|
.TP
|
||||||
|
\fB\-\-vnc\-tls\-key\fR=\fIfile\fR
|
||||||
|
The file containing the key for doing TLS security. To have TLS security you also need
|
||||||
|
to ship a file containing a certificate.
|
||||||
|
.TP
|
||||||
|
\fB\-\-vnc\-tls\-cert\fR=\fIfile\fR
|
||||||
|
The file containing the certificate for doing TLS security. To have TLS security you also need
|
||||||
|
to ship a key file.
|
||||||
|
|
||||||
|
|
||||||
|
.\" ***************************************************************
|
||||||
|
.SH Generating cryptographic material for the VNC backend
|
||||||
|
.
|
||||||
|
You can generate a key and certificate file to use with TLS security using typical
|
||||||
|
.B openssl
|
||||||
|
invocations:
|
||||||
|
|
||||||
|
.nf
|
||||||
|
$ openssl genrsa -out tls.key 2048
|
||||||
|
Generating RSA private key, 2048 bit long modulus
|
||||||
|
[...]
|
||||||
|
$ openssl req -new -key tls.key -out tls.csr
|
||||||
|
[...]
|
||||||
|
$ openssl x509 -req -days 365 -signkey tls.key -in tls.csr -out tls.crt
|
||||||
|
[...]
|
||||||
|
.fi
|
||||||
|
|
||||||
|
You will get the tls.key and tls.crt files to use with the VNC backend.
|
||||||
|
.
|
||||||
.\" ***************************************************************
|
.\" ***************************************************************
|
||||||
.SH "SEE ALSO"
|
.SH "SEE ALSO"
|
||||||
.BR weston (1)
|
.BR weston (1)
|
||||||
|
|
Loading…
Reference in New Issue