pool/tigervnc
SHA256
4
0
Fork 1
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Accepting request 901338 from X11:XOrg

Browse Source 
OBS-URL: https://build.opensuse.org/request/show/901338
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/tigervnc?expand=0&rev=78
This commit is contained in:
Dominique Leuenberger 2021-06-25 13:00:51 +00:00 committed by Git OBS Bridge
commit 15f71365ea
2 changed files with 89 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

109
tigervnc-FIPS-use-RFC7919.patch
View File

@ -1,17 +1,33 @@
diff --git a/common/rfb/SSecurityTLS.cxx b/common/rfb/SSecurityTLS.cxx
index d5ef47e..2111bae 100644
index d5ef47e..2ba787e 100644
--- a/common/rfb/SSecurityTLS.cxx
+++ b/common/rfb/SSecurityTLS.cxx
@@ -37,8 +37,6 @@
@@ -37,7 +37,23 @@
#include <rdr/TLSOutStream.h>
#include <gnutls/x509.h>
-#define DH_BITS 1024 /* XXX This should be configurable! */
-
+#if defined (SSECURITYTLS__USE_DEPRECATED_DH)
+/* FFDHE (RFC-7919) 2048-bit parameters, PEM-encoded */
+static unsigned char ffdhe2048[] =
+ "-----BEGIN DH PARAMETERS-----\n"
+ "MIIBDAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz\n"
+ "+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a\n"
+ "87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7\n"
+ "YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi\n"
+ "7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD\n"
+ "ssbzSibBsu/6iGtCOGEoXJf//////////wIBAgICAOE=\n"
+ "-----END DH PARAMETERS-----\n";
+
+static const gnutls_datum_t pkcs3_param = {
+ ffdhe2048,
+ sizeof(ffdhe2048)
+};
+#endif
using namespace rfb;
StringParameter SSecurityTLS::X509_CertFile
@@ -50,7 +48,7 @@ StringParameter SSecurityTLS::X509_KeyFile
@@ -50,15 +66,20 @@ StringParameter SSecurityTLS::X509_KeyFile
static LogWriter vlog("TLS");
SSecurityTLS::SSecurityTLS(SConnection* sc, bool _anon)
@ -20,55 +36,94 @@ index d5ef47e..2111bae 100644
cert_cred(NULL), anon(_anon), tlsis(NULL), tlsos(NULL),
rawis(NULL), rawos(NULL)
{
@@ -70,11 +68,6 @@ void SSecurityTLS::shutdown()
+#if defined (SSECURITYTLS__USE_DEPRECATED_DH)
+ dh_params = NULL;
+#endif
+
certfile = X509_CertFile.getData();
keyfile = X509_KeyFile.getData();
if (gnutls_global_init() != GNUTLS_E_SUCCESS)
throw AuthFailureException("gnutls_global_init failed");
+
}
void SSecurityTLS::shutdown()
@@ -70,10 +91,12 @@ void SSecurityTLS::shutdown()
}
}
- if (dh_params) {
- gnutls_dh_params_deinit(dh_params);
- dh_params = 0;
- }
-
+#if defined (SSECURITYTLS__USE_DEPRECATED_DH)
if (dh_params) {
gnutls_dh_params_deinit(dh_params);
dh_params = 0;
}
+#endif
if (anon_cred) {
gnutls_anon_free_server_credentials(anon_cred);
anon_cred = 0;
@@ -198,18 +191,10 @@ void SSecurityTLS::setParams(gnutls_session_t session)
@@ -198,17 +221,21 @@ void SSecurityTLS::setParams(gnutls_session_t session)
throw AuthFailureException("gnutls_set_priority_direct failed");
}
- if (gnutls_dh_params_init(&dh_params) != GNUTLS_E_SUCCESS)
- throw AuthFailureException("gnutls_dh_params_init failed");
-
+#if defined (SSECURITYTLS__USE_DEPRECATED_DH)
if (gnutls_dh_params_init(&dh_params) != GNUTLS_E_SUCCESS)
throw AuthFailureException("gnutls_dh_params_init failed");
- if (gnutls_dh_params_generate2(dh_params, DH_BITS) != GNUTLS_E_SUCCESS)
- throw AuthFailureException("gnutls_dh_params_generate2 failed");
-
+ if (gnutls_dh_params_import_pkcs3(dh_params, &pkcs3_param, GNUTLS_X509_FMT_PEM) != GNUTLS_E_SUCCESS)
+ throw AuthFailureException("gnutls_dh_params_import_pkcs3 failed");
+#endif
if (anon) {
if (gnutls_anon_allocate_server_credentials(&anon_cred) != GNUTLS_E_SUCCESS)
throw AuthFailureException("gnutls_anon_allocate_server_credentials failed");
- gnutls_anon_set_server_dh_params(anon_cred, dh_params);
-
+#if defined (SSECURITYTLS__USE_DEPRECATED_DH)
gnutls_anon_set_server_dh_params(anon_cred, dh_params);
+#endif
if (gnutls_credentials_set(session, GNUTLS_CRD_ANON, anon_cred)
!= GNUTLS_E_SUCCESS)
throw AuthFailureException("gnutls_credentials_set failed");
@@ -220,8 +205,6 @@ void SSecurityTLS::setParams(gnutls_session_t session)
@@ -220,7 +247,9 @@ void SSecurityTLS::setParams(gnutls_session_t session)
if (gnutls_certificate_allocate_credentials(&cert_cred) != GNUTLS_E_SUCCESS)
throw AuthFailureException("gnutls_certificate_allocate_credentials failed");
- gnutls_certificate_set_dh_params(cert_cred, dh_params);
-
+#if defined (SSECURITYTLS__USE_DEPRECATED_DH)
gnutls_certificate_set_dh_params(cert_cred, dh_params);
+#endif
switch (gnutls_certificate_set_x509_key_file(cert_cred, certfile, keyfile, GNUTLS_X509_FMT_PEM)) {
case GNUTLS_E_SUCCESS:
break;
diff --git a/common/rfb/SSecurityTLS.h b/common/rfb/SSecurityTLS.h
index 6f71182..530c524 100644
index 6f71182..4bddae3 100644
--- a/common/rfb/SSecurityTLS.h
+++ b/common/rfb/SSecurityTLS.h
@@ -55,7 +55,6 @@ namespace rfb {
@@ -36,6 +36,14 @@
#include <rdr/OutStream.h>
#include <gnutls/gnutls.h>
+
+/* In GnuTLS 3.6.0 DH parameter generation was deprecated. RFC7919 is used instead.
+ * GnuTLS before 3.6.0 doesn't know about RFC7919 so we will have to import it.
+ */
+#if GNUTLS_VERSION_NUMBER < 0x030600
+#define SSECURITYTLS__USE_DEPRECATED_DH
+#endif
+
namespace rfb {
class SSecurityTLS : public SSecurity {
@@ -54,8 +62,11 @@ namespace rfb {
void setParams(gnutls_session_t session);
private:
+ bool isUsingDeprecatedDH;
gnutls_session_t session;
- gnutls_dh_params_t dh_params;
+#if defined (SSECURITYTLS__USE_DEPRECATED_DH)
gnutls_dh_params_t dh_params;
+#endif
gnutls_anon_server_credentials_t anon_cred;
gnutls_certificate_credentials_t cert_cred;
char *keyfile, *certfile;

7
tigervnc.changes
View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Sat Jun 19 00:07:23 UTC 2021 - Jason Sikes <jsikes@suse.com>
- Specify RFC7919 parameters for GnuTLS versions older than 3.6.0.
* Modified tigervnc-FIPS-use-RFC7919.patch
* https://github.com/TigerVNC/tigervnc/pull/1273
-------------------------------------------------------------------
Mon Jun 7 01:47:07 UTC 2021 - Jason Sikes <jsikes@suse.com>