152 lines
5.2 KiB
Diff
152 lines
5.2 KiB
Diff
From b00c7ec03ce46936a042f1ea1c0ad74bace9f4bc Mon Sep 17 00:00:00 2001
|
|
From: Philipp Zabel <p.zabel@pengutronix.de>
|
|
Date: Thu, 6 Oct 2022 12:18:04 +0200
|
|
Subject: [PATCH 87/93] backend-vnc: enable TLS support
|
|
|
|
Add TLS key and certificate parameters to enable encryption support.
|
|
|
|
Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
|
|
(cherry picked from commit 1a027e63cb4dda7a7483034e89314bd8b064ed1b)
|
|
Signed-off-by: Jeffy Chen <jeffy.chen@rock-chips.com>
|
|
---
|
|
compositor/main.c | 6 ++++++
|
|
include/libweston/backend-vnc.h | 2 ++
|
|
libweston/backend-vnc/vnc.c | 24 ++++++++++++++++++++++++
|
|
man/weston-vnc.man | 33 ++++++++++++++++++++++++++++++---
|
|
4 files changed, 62 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/compositor/main.c b/compositor/main.c
|
|
index aee3f24..a168c98 100644
|
|
--- a/compositor/main.c
|
|
+++ b/compositor/main.c
|
|
@@ -730,6 +730,8 @@ usage(int error_code)
|
|
" --width=WIDTH\t\tWidth of desktop\n"
|
|
" --height=HEIGHT\tHeight of desktop\n"
|
|
" --port=PORT\t\tThe port to listen on\n"
|
|
+ " --vnc-tls-cert=FILE\tThe file containing the certificate for TLS encryption\n"
|
|
+ " --vnc-tls-key=FILE\tThe file containing the private key for TLS encryption\n"
|
|
"\n");
|
|
#endif
|
|
|
|
@@ -3256,6 +3258,8 @@ load_vnc_backend(struct weston_compositor *c,
|
|
{ WESTON_OPTION_INTEGER, "height", 0, &parsed_options->height },
|
|
{ WESTON_OPTION_STRING, "address", 0, &config.bind_address },
|
|
{ WESTON_OPTION_INTEGER, "port", 0, &config.port },
|
|
+ { WESTON_OPTION_STRING, "vnc-tls-cert", 0, &config.server_cert },
|
|
+ { WESTON_OPTION_STRING, "vnc-tls-key", 0, &config.server_key },
|
|
};
|
|
|
|
parse_options(vnc_options, ARRAY_LENGTH(vnc_options), argc, argv);
|
|
@@ -3270,6 +3274,8 @@ load_vnc_backend(struct weston_compositor *c,
|
|
&config.base);
|
|
|
|
free(config.bind_address);
|
|
+ free(config.server_cert);
|
|
+ free(config.server_key);
|
|
|
|
return ret;
|
|
}
|
|
diff --git a/include/libweston/backend-vnc.h b/include/libweston/backend-vnc.h
|
|
index 0085df5..3495c0e 100644
|
|
--- a/include/libweston/backend-vnc.h
|
|
+++ b/include/libweston/backend-vnc.h
|
|
@@ -62,6 +62,8 @@ struct weston_vnc_backend_config {
|
|
char *bind_address;
|
|
int port;
|
|
int refresh_rate;
|
|
+ char *server_cert;
|
|
+ char *server_key;
|
|
};
|
|
|
|
#ifdef __cplusplus
|
|
diff --git a/libweston/backend-vnc/vnc.c b/libweston/backend-vnc/vnc.c
|
|
index 190fe92..e57e377 100644
|
|
--- a/libweston/backend-vnc/vnc.c
|
|
+++ b/libweston/backend-vnc/vnc.c
|
|
@@ -997,6 +997,30 @@ vnc_backend_create(struct weston_compositor *compositor,
|
|
nvnc_set_userdata(backend->server, backend, NULL);
|
|
nvnc_set_name(backend->server, "Weston VNC backend");
|
|
|
|
+ if (config->server_cert || config->server_key) {
|
|
+ if (!nvnc_has_auth()) {
|
|
+ weston_log("Neat VNC built without TLS support\n");
|
|
+ goto err_output;
|
|
+ }
|
|
+ if (!config->server_cert) {
|
|
+ weston_log("Missing TLS certificate (--vnc-tls-cert)\n");
|
|
+ goto err_output;
|
|
+ }
|
|
+ if (!config->server_key) {
|
|
+ weston_log("Missing TLS key (--vnc-tls-key)\n");
|
|
+ goto err_output;
|
|
+ }
|
|
+
|
|
+ ret = nvnc_enable_auth(backend->server, config->server_key,
|
|
+ config->server_cert, NULL, NULL);
|
|
+ if (ret) {
|
|
+ weston_log("Failed to enable TLS support\n");
|
|
+ goto err_output;
|
|
+ }
|
|
+
|
|
+ weston_log("TLS support activated\n");
|
|
+ }
|
|
+
|
|
ret = weston_plugin_api_register(compositor, WESTON_VNC_OUTPUT_API_NAME,
|
|
&api, sizeof(api));
|
|
if (ret < 0) {
|
|
diff --git a/man/weston-vnc.man b/man/weston-vnc.man
|
|
index 6491097..582fe28 100644
|
|
--- a/man/weston-vnc.man
|
|
+++ b/man/weston-vnc.man
|
|
@@ -19,9 +19,8 @@ the graphical content, depending on what is supported by the VNC client.
|
|
The VNC backend is not multi-seat aware, so if a second client connects to the
|
|
backend, the first client will be disconnected.
|
|
|
|
-Note that authentication and encryption are not supported yet. Anyone with
|
|
-access to the port can get control of the desktop via the VNC output, and
|
|
-all data is transferred in plaintext.
|
|
+Note that authentication is not supported yet. Anyone with access to the port
|
|
+can get control of the desktop via the VNC output.
|
|
|
|
.\" ***************************************************************
|
|
.SH CONFIGURATION
|
|
@@ -50,7 +49,35 @@ The height of the framebuffer. It defaults to 480.
|
|
.TP
|
|
\fB\-\-port\fR=\fIport\fR
|
|
The TCP port to listen on for connections. It defaults to 5900.
|
|
+.TP
|
|
+\fB\-\-vnc\-tls\-key\fR=\fIfile\fR
|
|
+The file containing the key for doing TLS security. To have TLS security you also need
|
|
+to ship a file containing a certificate.
|
|
+.TP
|
|
+\fB\-\-vnc\-tls\-cert\fR=\fIfile\fR
|
|
+The file containing the certificate for doing TLS security. To have TLS security you also need
|
|
+to ship a key file.
|
|
+
|
|
+
|
|
+.\" ***************************************************************
|
|
+.SH Generating cryptographic material for the VNC backend
|
|
+.
|
|
+You can generate a key and certificate file to use with TLS security using typical
|
|
+.B openssl
|
|
+invocations:
|
|
|
|
+.nf
|
|
+$ openssl genrsa -out tls.key 2048
|
|
+Generating RSA private key, 2048 bit long modulus
|
|
+[...]
|
|
+$ openssl req -new -key tls.key -out tls.csr
|
|
+[...]
|
|
+$ openssl x509 -req -days 365 -signkey tls.key -in tls.csr -out tls.crt
|
|
+[...]
|
|
+.fi
|
|
+
|
|
+You will get the tls.key and tls.crt files to use with the VNC backend.
|
|
+.
|
|
.\" ***************************************************************
|
|
.SH "SEE ALSO"
|
|
.BR weston (1)
|
|
--
|
|
2.20.1
|
|
|