From 62f4f872e35970a97c1169809343171675f861fcd689938cfeb9196c4e06fe6a Mon Sep 17 00:00:00 2001
From: Stefan Dirsch <sndirsch@suse.com>
Date: Tue, 22 Jun 2021 13:29:49 +0000
Subject: [PATCH] Accepting request 900834 from home:jsikes:branches:X11:XOrg

Now approved by Upstream. Enjoy!

OBS-URL: https://build.opensuse.org/request/show/900834
OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/tigervnc?expand=0&rev=209
---
 tigervnc-FIPS-use-RFC7919.patch | 109 ++++++++++++++++++++++++--------
 tigervnc.changes                |   7 ++
 2 files changed, 89 insertions(+), 27 deletions(-)

diff --git a/tigervnc-FIPS-use-RFC7919.patch b/tigervnc-FIPS-use-RFC7919.patch
index 5744eae..1fc67bd 100644
--- a/tigervnc-FIPS-use-RFC7919.patch
+++ b/tigervnc-FIPS-use-RFC7919.patch
@@ -1,17 +1,33 @@
 diff --git a/common/rfb/SSecurityTLS.cxx b/common/rfb/SSecurityTLS.cxx
-index d5ef47e..2111bae 100644
+index d5ef47e..2ba787e 100644
 --- a/common/rfb/SSecurityTLS.cxx
 +++ b/common/rfb/SSecurityTLS.cxx
-@@ -37,8 +37,6 @@
+@@ -37,7 +37,23 @@
  #include <rdr/TLSOutStream.h>
  #include <gnutls/x509.h>
  
 -#define DH_BITS 1024 /* XXX This should be configurable! */
--
++#if defined (SSECURITYTLS__USE_DEPRECATED_DH)
++/* FFDHE (RFC-7919) 2048-bit parameters, PEM-encoded */
++static unsigned char ffdhe2048[] =
++  "-----BEGIN DH PARAMETERS-----\n"
++  "MIIBDAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz\n"
++  "+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a\n"
++  "87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7\n"
++  "YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi\n"
++  "7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD\n"
++  "ssbzSibBsu/6iGtCOGEoXJf//////////wIBAgICAOE=\n"
++  "-----END DH PARAMETERS-----\n";
++
++static const gnutls_datum_t pkcs3_param = {
++  ffdhe2048,
++  sizeof(ffdhe2048)
++};
++#endif
+ 
  using namespace rfb;
  
- StringParameter SSecurityTLS::X509_CertFile
-@@ -50,7 +48,7 @@ StringParameter SSecurityTLS::X509_KeyFile
+@@ -50,15 +66,20 @@ StringParameter SSecurityTLS::X509_KeyFile
  static LogWriter vlog("TLS");
  
  SSecurityTLS::SSecurityTLS(SConnection* sc, bool _anon)
@@ -20,55 +36,94 @@ index d5ef47e..2111bae 100644
      cert_cred(NULL), anon(_anon), tlsis(NULL), tlsos(NULL),
      rawis(NULL), rawos(NULL)
  {
-@@ -70,11 +68,6 @@ void SSecurityTLS::shutdown()
++#if defined (SSECURITYTLS__USE_DEPRECATED_DH)
++  dh_params = NULL;
++#endif
++
+   certfile = X509_CertFile.getData();
+   keyfile = X509_KeyFile.getData();
+ 
+   if (gnutls_global_init() != GNUTLS_E_SUCCESS)
+     throw AuthFailureException("gnutls_global_init failed");
++
+ }
+ 
+ void SSecurityTLS::shutdown()
+@@ -70,10 +91,12 @@ void SSecurityTLS::shutdown()
      }
    }
  
--  if (dh_params) {
--    gnutls_dh_params_deinit(dh_params);
--    dh_params = 0;
--  }
--
++#if defined (SSECURITYTLS__USE_DEPRECATED_DH)
+   if (dh_params) {
+     gnutls_dh_params_deinit(dh_params);
+     dh_params = 0;
+   }
++#endif
+ 
    if (anon_cred) {
      gnutls_anon_free_server_credentials(anon_cred);
-     anon_cred = 0;
-@@ -198,18 +191,10 @@ void SSecurityTLS::setParams(gnutls_session_t session)
+@@ -198,17 +221,21 @@ void SSecurityTLS::setParams(gnutls_session_t session)
      throw AuthFailureException("gnutls_set_priority_direct failed");
    }
  
--  if (gnutls_dh_params_init(&dh_params) != GNUTLS_E_SUCCESS)
--    throw AuthFailureException("gnutls_dh_params_init failed");
--
++#if defined (SSECURITYTLS__USE_DEPRECATED_DH)
+   if (gnutls_dh_params_init(&dh_params) != GNUTLS_E_SUCCESS)
+     throw AuthFailureException("gnutls_dh_params_init failed");
+ 
 -  if (gnutls_dh_params_generate2(dh_params, DH_BITS) != GNUTLS_E_SUCCESS)
 -    throw AuthFailureException("gnutls_dh_params_generate2 failed");
--
++  if (gnutls_dh_params_import_pkcs3(dh_params, &pkcs3_param, GNUTLS_X509_FMT_PEM) != GNUTLS_E_SUCCESS)
++    throw AuthFailureException("gnutls_dh_params_import_pkcs3 failed");
++#endif
+ 
    if (anon) {
      if (gnutls_anon_allocate_server_credentials(&anon_cred) != GNUTLS_E_SUCCESS)
        throw AuthFailureException("gnutls_anon_allocate_server_credentials failed");
  
--    gnutls_anon_set_server_dh_params(anon_cred, dh_params);
--
++#if defined (SSECURITYTLS__USE_DEPRECATED_DH)
+     gnutls_anon_set_server_dh_params(anon_cred, dh_params);
++#endif
+ 
      if (gnutls_credentials_set(session, GNUTLS_CRD_ANON, anon_cred)
          != GNUTLS_E_SUCCESS)
-       throw AuthFailureException("gnutls_credentials_set failed");
-@@ -220,8 +205,6 @@ void SSecurityTLS::setParams(gnutls_session_t session)
+@@ -220,7 +247,9 @@ void SSecurityTLS::setParams(gnutls_session_t session)
      if (gnutls_certificate_allocate_credentials(&cert_cred) != GNUTLS_E_SUCCESS)
        throw AuthFailureException("gnutls_certificate_allocate_credentials failed");
  
--    gnutls_certificate_set_dh_params(cert_cred, dh_params);
--
++#if defined (SSECURITYTLS__USE_DEPRECATED_DH)
+     gnutls_certificate_set_dh_params(cert_cred, dh_params);
++#endif
+ 
      switch (gnutls_certificate_set_x509_key_file(cert_cred, certfile, keyfile, GNUTLS_X509_FMT_PEM)) {
      case GNUTLS_E_SUCCESS:
-       break;
 diff --git a/common/rfb/SSecurityTLS.h b/common/rfb/SSecurityTLS.h
-index 6f71182..530c524 100644
+index 6f71182..4bddae3 100644
 --- a/common/rfb/SSecurityTLS.h
 +++ b/common/rfb/SSecurityTLS.h
-@@ -55,7 +55,6 @@ namespace rfb {
+@@ -36,6 +36,14 @@
+ #include <rdr/OutStream.h>
+ #include <gnutls/gnutls.h>
+ 
++
++/* In GnuTLS 3.6.0 DH parameter generation was deprecated. RFC7919 is used instead.
++ * GnuTLS before 3.6.0 doesn't know about RFC7919 so we will have to import it.
++ */
++#if GNUTLS_VERSION_NUMBER < 0x030600
++#define SSECURITYTLS__USE_DEPRECATED_DH
++#endif
++
+ namespace rfb {
+ 
+   class SSecurityTLS : public SSecurity {
+@@ -54,8 +62,11 @@ namespace rfb {
+     void setParams(gnutls_session_t session);
  
    private:
++    bool isUsingDeprecatedDH;
      gnutls_session_t session;
--    gnutls_dh_params_t dh_params;
++#if defined (SSECURITYTLS__USE_DEPRECATED_DH)
+     gnutls_dh_params_t dh_params;
++#endif
      gnutls_anon_server_credentials_t anon_cred;
      gnutls_certificate_credentials_t cert_cred;
      char *keyfile, *certfile;
diff --git a/tigervnc.changes b/tigervnc.changes
index 1312252..7e127ea 100644
--- a/tigervnc.changes
+++ b/tigervnc.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Sat Jun 19 00:07:23 UTC 2021 - Jason Sikes <jsikes@suse.com>
+
+- Specify RFC7919 parameters for GnuTLS versions older than 3.6.0.
+  * Modified tigervnc-FIPS-use-RFC7919.patch
+  * https://github.com/TigerVNC/tigervnc/pull/1273
+
 -------------------------------------------------------------------
 Mon Jun  7 01:47:07 UTC 2021 - Jason Sikes <jsikes@suse.com>