pool/tigervnc
SHA256
4
0
Fork 1
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Accepting request 297178 from X11:XOrg

Browse Source 
1

OBS-URL: https://build.opensuse.org/request/show/297178
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/tigervnc?expand=0&rev=20
This commit is contained in:
Dominique Leuenberger 2015-04-18 08:38:44 +00:00 committed by Git OBS Bridge
commit fa50566447
5 changed files with 751 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
tigervnc-1.4.1.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:5cffd87707fff8e89b9236bc18925729485dd607872833f3a433fea744809ddd
size 1369531

719
tigervnc-gnutls-3.4-required.patch Normal file
View File

@ -0,0 +1,719 @@
From 88c24edd8f7a793561104be50b6ecf2c85b42956 Mon Sep 17 00:00:00 2001
From: Pierre Ossman <ossman@cendio.se>
Date: Thu, 29 Jan 2015 13:12:22 +0100
Subject: [PATCH] Raise GnuTLS requirements to 3.x
This allows us to simplify things by getting rid of some old
compatibility code. People should really be using current versions
of GnuTLS anyway to stay secure.
---
BUILDING.txt | 2 +-
CMakeLists.txt | 24 ------
common/os/CMakeLists.txt | 3 +-
common/os/tls.cxx | 198 --------------------------------------------
common/os/tls.h | 59 -------------
common/rdr/TLSErrno.h | 46 ----------
common/rdr/TLSInStream.cxx | 11 ++-
common/rdr/TLSInStream.h | 6 +-
common/rdr/TLSOutStream.cxx | 9 +-
common/rdr/TLSOutStream.h | 6 +-
common/rfb/CSecurityTLS.cxx | 31 ++++---
common/rfb/CSecurityTLS.h | 6 +-
common/rfb/SSecurityTLS.cxx | 23 +++--
common/rfb/SSecurityTLS.h | 10 +--
config.h.in | 7 --
15 files changed, 60 insertions(+), 381 deletions(-)
delete mode 100644 common/os/tls.cxx
delete mode 100644 common/os/tls.h
delete mode 100644 common/rdr/TLSErrno.h
Index: tigervnc-1.4.3/BUILDING.txt
===================================================================
--- tigervnc-1.4.3.orig/BUILDING.txt
+++ tigervnc-1.4.3/BUILDING.txt
@@ -14,7 +14,7 @@ Build Requirements (All Systems)
* See "Building FLTK" below.
-- If building TLS support:
- * GnuTLS
+ * GnuTLS 3.x
* See "Building TLS Support" below.
-- If building native language support (NLS):
Index: tigervnc-1.4.3/CMakeLists.txt
===================================================================
--- tigervnc-1.4.3.orig/CMakeLists.txt
+++ tigervnc-1.4.3/CMakeLists.txt
@@ -270,30 +270,6 @@ if(ENABLE_GNUTLS)
include_directories(${GNUTLS_INCLUDE_DIR})
add_definitions("-DHAVE_GNUTLS")
add_definitions(${GNUTLS_DEFINITIONS})
-
- # Detect old version of GnuTLS
- set(CMAKE_REQUIRED_FLAGS -I${GNUTLS_INCLUDE_DIR})
- set(CMAKE_EXTRA_INCLUDE_FILES gnutls/gnutls.h)
- set(CMAKE_REQUIRED_LIBRARIES ${GNUTLS_LIBRARIES})
- if(WIN32)
- set(CMAKE_REQUIRED_LIBRARIES ${CMAKE_REQUIRED_LIBRARIES} ws2_32 user32)
- endif()
- if(ZLIB_FOUND)
- # When we build against the static version of GnuTLS, we also use the
- # included version of Zlib, but it isn't built yet, so we have to use the
- # system's version (if available) to perform this test.
- set(CMAKE_REQUIRED_LIBRARIES ${CMAKE_REQUIRED_LIBRARIES};-lz)
- endif()
- check_function_exists(gnutls_transport_set_errno HAVE_GNUTLS_SET_ERRNO)
- check_function_exists(gnutls_transport_set_global_errno HAVE_GNUTLS_SET_GLOBAL_ERRNO)
- check_function_exists(gnutls_x509_crt_print HAVE_GNUTLS_X509_CRT_PRINT)
- check_type_size(gnutls_x509_crt_t GNUTLS_X509_CRT_T)
- check_type_size(gnutls_datum_t GNUTLS_DATUM_T)
- check_type_size(gnutls_pk_algorithm_t GNUTLS_PK_ALGORITHM_T)
- check_type_size(gnutls_sign_algorithm_t GNUTLS_SIGN_ALGORITHM_T)
- set(CMAKE_REQUIRED_FLAGS)
- set(CMAKE_EXTRA_INCLUDE_FILES)
- set(CMAKE_REQUIRED_LIBRARIES)
endif()
endif()
Index: tigervnc-1.4.3/common/os/CMakeLists.txt
===================================================================
--- tigervnc-1.4.3.orig/common/os/CMakeLists.txt
+++ tigervnc-1.4.3/common/os/CMakeLists.txt
@@ -2,8 +2,7 @@ include_directories(${CMAKE_SOURCE_DIR}/
add_library(os STATIC
w32tiger.c
- os.cxx
- tls.cxx)
+ os.cxx)
if(UNIX)
libtool_create_control_file(os)
Index: tigervnc-1.4.3/common/os/tls.cxx
===================================================================
--- tigervnc-1.4.3.orig/common/os/tls.cxx
+++ /dev/null
@@ -1,198 +0,0 @@
-/* Copyright (C) 2011 TightVNC Team. All Rights Reserved.
- *
- * This is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This software is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this software; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
- * USA.
- */
-
-#ifdef HAVE_CONFIG_H
-#include <config.h>
-#endif
-
-#include <os/tls.h>
-
-#include <iomanip>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <sstream>
-#include <sys/types.h>
-#include <time.h>
-
-using namespace std;
-
-#if defined(HAVE_GNUTLS) && !defined(WIN32)
-#include <gnutls/gnutls.h>
-#include <gnutls/x509.h>
-
-#ifndef HAVE_GNUTLS_X509_CRT_PRINT
-
-/* Ancient GNUTLS... */
-#if !defined(GNUTLS_VERSION_NUMBER) && !defined(LIBGNUTLS_VERSION_NUMBER)
-#define GNUTLS_DIG_SHA1 GNUTLS_DIG_SHA
-#endif
-
-#define UNKNOWN_SUBJECT(err) \
- do { \
- ss << "unknown subject (" << gnutls_strerror(err) << "), "; \
- } while (0)
-
-#define UNKNOWN_ISSUER(err) \
- do { \
- ss << "unknown issuer (" << gnutls_strerror(err) << "), "; \
- } while (0)
-
-
-static void
-hexprint(ostringstream &ss, const char *data, size_t len)
-{
- size_t j;
- char tmp[3];
-
- if (len == 0)
- ss << "00";
- else {
- for (j = 0; j < len; j++) {
- snprintf(tmp, sizeof(tmp), "%.2x", (unsigned char) data[j]);
- ss << tmp;
- }
- }
-}
-
-/* Implementation based on gnutls_x509_crt_print from GNUTLS */
-int
-gnutls_x509_crt_print(gnutls_x509_crt_t cert,
- gnutls_certificate_print_formats_t format,
- gnutls_datum_t * out)
-{
- ostringstream ss;
-
- int err;
-
- char *dn;
- size_t dn_size = 0;
-
- /* Subject */
- err = gnutls_x509_crt_get_dn(cert, NULL, &dn_size);
- if (err != GNUTLS_E_SHORT_MEMORY_BUFFER)
- UNKNOWN_SUBJECT(err);
- else {
- dn = (char *)malloc(dn_size);
- if (dn == NULL) {
- UNKNOWN_SUBJECT(GNUTLS_E_MEMORY_ERROR);
- } else {
- err = gnutls_x509_crt_get_dn(cert, dn, &dn_size);
- if (err < 0) {
- UNKNOWN_SUBJECT(err);
- } else
- ss << "subject `" << dn << "', ";
- free(dn);
- }
- }
-
- /* Issuer */
- dn = NULL;
- dn_size = 0;
- err = gnutls_x509_crt_get_issuer_dn(cert, NULL, &dn_size);
- if (err != GNUTLS_E_SHORT_MEMORY_BUFFER)
- UNKNOWN_ISSUER(err);
- else {
- dn = (char *)malloc(dn_size);
- if (dn == NULL) {
- UNKNOWN_ISSUER(GNUTLS_E_MEMORY_ERROR);
- } else {
- err = gnutls_x509_crt_get_issuer_dn(cert, dn, &dn_size);
- if (err < 0)
- UNKNOWN_ISSUER(err);
- else
- ss << "issuer `" << dn << "', ";
- free(dn);
- }
- }
-
- /* Key algorithm and size */
- unsigned int bits;
- const char *name;
- name = gnutls_pk_algorithm_get_name( (gnutls_pk_algorithm_t)
- gnutls_x509_crt_get_pk_algorithm(cert, &bits));
- if (name == NULL)
- name = "Unknown";
- ss << name << " key " << bits << " bits, ";
-
- /* Signature algorithm */
- err = gnutls_x509_crt_get_signature_algorithm(cert);
- if (err < 0) {
- ss << "unknown signature algorithm (" << gnutls_strerror(err)
- << "), ";
- } else {
- const char *name;
- name = gnutls_sign_algorithm_get_name((gnutls_sign_algorithm_t)err);
- if (name == NULL)
- name = "Unknown";
-
- ss << "signed using " << name;
- if (err == GNUTLS_SIGN_RSA_MD5 || err == GNUTLS_SIGN_RSA_MD2)
- ss << " (broken!)";
- ss << ", ";
- }
-
- /* Validity */
- time_t tim;
- char s[42];
- size_t max = sizeof(s);
- struct tm t;
-
- tim = gnutls_x509_crt_get_activation_time(cert);
- if (gmtime_r(&tim, &t) == NULL)
- ss << "unknown activation (" << (unsigned long) tim << ")";
- else if (strftime(s, max, "%Y-%m-%d %H:%M:%S UTC", &t) == 0)
- ss << "failed activation (" << (unsigned long) tim << ")";
- else
- ss << "activated `" << s << "'";
- ss << ", ";
-
- tim = gnutls_x509_crt_get_expiration_time(cert);
- if (gmtime_r(&tim, &t) == NULL)
- ss << "unknown expiry (" << (unsigned long) tim << ")";
- else if (strftime(s, max, "%Y-%m-%d %H:%M:%S UTC", &t) == 0)
- ss << "failed expiry (" << (unsigned long) tim << ")";
- else
- ss << "expires `" << s << "'";
- ss << ", ";
-
- /* Fingerprint */
- char buffer[20];
- size_t size = sizeof(buffer);
-
- err = gnutls_x509_crt_get_fingerprint(cert, GNUTLS_DIG_SHA1, buffer, &size);
- if (err < 0)
- ss << "unknown fingerprint (" << gnutls_strerror(err) << ")";
- else {
- ss << "SHA-1 fingerprint `";
- hexprint(ss, buffer, size);
- ss << "'";
- }
-
- out->data = (unsigned char *) strdup(ss.str().c_str());
- if (out->data == NULL)
- return GNUTLS_E_MEMORY_ERROR;
- out->size = strlen((char *)out->data);
-
- return 0;
-}
-
-#endif /* HAVE_GNUTLS_X509_CRT_PRINT */
-
-#endif /* HAVE_GNUTLS */
-
Index: tigervnc-1.4.3/common/os/tls.h
===================================================================
--- tigervnc-1.4.3.orig/common/os/tls.h
+++ /dev/null
@@ -1,59 +0,0 @@
-/* Copyright (C) 2011 TightVNC Team. All Rights Reserved.
- *
- * This is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This software is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this software; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
- * USA.
- */
-
-#ifndef OS_TLS_H
-#define OS_TLS_H
-
-#ifdef HAVE_CONFIG_H
-#include <config.h>
-#endif
-
-#if defined(HAVE_GNUTLS)
-#include <gnutls/gnutls.h>
-
-#ifndef HAVE_GNUTLS_DATUM_T
-typedef gnutls_datum gnutls_datum_t;
-#endif
-#ifndef HAVE_GNUTLS_X509_CRT_T
-typedef gnutls_x509_crt gnutls_x509_crt_t;
-#endif
-#ifndef HAVE_GNUTLS_PK_ALGORITHM_T
-typedef gnutls_pk_algorithm gnutls_pk_algorithm_t;
-#endif
-#ifndef HAVE_GNUTLS_SIGN_ALGORITHM_T
-typedef gnutls_sign_algorithm gnutls_sign_algorithm_t;
-#endif
-
-#ifndef HAVE_GNUTLS_X509_CRT_PRINT
-
-typedef enum {
- GNUTLS_CRT_PRINT_ONELINE = 1
-} gnutls_certificate_print_formats_t;
-
-/*
- * Prints certificate in human-readable form.
- */
-int
-gnutls_x509_crt_print(gnutls_x509_crt_t cert,
- gnutls_certificate_print_formats_t format,
- gnutls_datum_t * out);
-#endif /* HAVE_GNUTLS_X509_CRT_PRINT */
-#endif /* HAVE_GNUTLS */
-
-#endif /* OS_TLS_H */
-
Index: tigervnc-1.4.3/common/rdr/TLSErrno.h
===================================================================
--- tigervnc-1.4.3.orig/common/rdr/TLSErrno.h
+++ /dev/null
@@ -1,46 +0,0 @@
-/* Copyright (C) 2012 Pierre Ossman for Cendio AB
- *
- * This is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This software is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this software; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
- * USA.
- */
-
-#ifndef __RDR_TLSERRNO_H__
-#define __RDR_TLSERRNO_H__
-
-#ifdef HAVE_CONFIG_H
-#include <config.h>
-#endif
-
-#ifdef HAVE_GNUTLS
-
-#include <errno.h>
-
-namespace rdr {
-
- static inline void gnutls_errno_helper(gnutls_session session, int _errno)
- {
-#if defined(HAVE_GNUTLS_SET_ERRNO)
- gnutls_transport_set_errno(session, _errno);
-#elif defined(HAVE_GNUTLS_SET_GLOBAL_ERRNO)
- gnutls_transport_set_global_errno(_errno);
-#else
- errno = _errno;
-#endif
- }
-};
-
-#endif
-
-#endif
Index: tigervnc-1.4.3/common/rdr/TLSInStream.cxx
===================================================================
--- tigervnc-1.4.3.orig/common/rdr/TLSInStream.cxx
+++ tigervnc-1.4.3/common/rdr/TLSInStream.cxx
@@ -25,7 +25,6 @@
#include <rdr/Exception.h>
#include <rdr/TLSException.h>
#include <rdr/TLSInStream.h>
-#include <rdr/TLSErrno.h>
#include <errno.h>
#ifdef HAVE_GNUTLS
@@ -33,14 +32,14 @@ using namespace rdr;
enum { DEFAULT_BUF_SIZE = 16384 };
-ssize_t TLSInStream::pull(gnutls_transport_ptr str, void* data, size_t size)
+ssize_t TLSInStream::pull(gnutls_transport_ptr_t str, void* data, size_t size)
{
TLSInStream* self= (TLSInStream*) str;
InStream *in = self->in;
try {
if (!in->check(1, 1, false)) {
- gnutls_errno_helper(self->session, EAGAIN);
+ gnutls_transport_set_errno(self->session, EAGAIN);
return -1;
}
@@ -50,17 +49,17 @@ ssize_t TLSInStream::pull(gnutls_transpo
in->readBytes(data, size);
} catch (Exception& e) {
- gnutls_errno_helper(self->session, EINVAL);
+ gnutls_transport_set_errno(self->session, EINVAL);
return -1;
}
return size;
}
-TLSInStream::TLSInStream(InStream* _in, gnutls_session _session)
+TLSInStream::TLSInStream(InStream* _in, gnutls_session_t _session)
: session(_session), in(_in), bufSize(DEFAULT_BUF_SIZE), offset(0)
{
- gnutls_transport_ptr recv, send;
+ gnutls_transport_ptr_t recv, send;
ptr = end = start = new U8[bufSize];
Index: tigervnc-1.4.3/common/rdr/TLSInStream.h
===================================================================
--- tigervnc-1.4.3.orig/common/rdr/TLSInStream.h
+++ tigervnc-1.4.3/common/rdr/TLSInStream.h
@@ -33,7 +33,7 @@ namespace rdr {
class TLSInStream : public InStream {
public:
- TLSInStream(InStream* in, gnutls_session session);
+ TLSInStream(InStream* in, gnutls_session_t session);
virtual ~TLSInStream();
int pos();
@@ -41,9 +41,9 @@ namespace rdr {
private:
int overrun(int itemSize, int nItems, bool wait);
int readTLS(U8* buf, int len, bool wait);
- static ssize_t pull(gnutls_transport_ptr str, void* data, size_t size);
+ static ssize_t pull(gnutls_transport_ptr_t str, void* data, size_t size);
- gnutls_session session;
+ gnutls_session_t session;
InStream* in;
int bufSize;
int offset;
Index: tigervnc-1.4.3/common/rdr/TLSOutStream.cxx
===================================================================
--- tigervnc-1.4.3.orig/common/rdr/TLSOutStream.cxx
+++ tigervnc-1.4.3/common/rdr/TLSOutStream.cxx
@@ -25,7 +25,6 @@
#include <rdr/Exception.h>
#include <rdr/TLSException.h>
#include <rdr/TLSOutStream.h>
-#include <rdr/TLSErrno.h>
#include <errno.h>
#ifdef HAVE_GNUTLS
@@ -33,7 +32,7 @@ using namespace rdr;
enum { DEFAULT_BUF_SIZE = 16384 };
-ssize_t TLSOutStream::push(gnutls_transport_ptr str, const void* data,
+ssize_t TLSOutStream::push(gnutls_transport_ptr_t str, const void* data,
size_t size)
{
TLSOutStream* self= (TLSOutStream*) str;
@@ -43,17 +42,17 @@ ssize_t TLSOutStream::push(gnutls_transp
out->writeBytes(data, size);
out->flush();
} catch (Exception& e) {
- gnutls_errno_helper(self->session, EINVAL);
+ gnutls_transport_set_errno(self->session, EINVAL);
return -1;
}
return size;
}
-TLSOutStream::TLSOutStream(OutStream* _out, gnutls_session _session)
+TLSOutStream::TLSOutStream(OutStream* _out, gnutls_session_t _session)
: session(_session), out(_out), bufSize(DEFAULT_BUF_SIZE), offset(0)
{
- gnutls_transport_ptr recv, send;
+ gnutls_transport_ptr_t recv, send;
ptr = start = new U8[bufSize];
end = start + bufSize;
Index: tigervnc-1.4.3/common/rdr/TLSOutStream.h
===================================================================
--- tigervnc-1.4.3.orig/common/rdr/TLSOutStream.h
+++ tigervnc-1.4.3/common/rdr/TLSOutStream.h
@@ -32,7 +32,7 @@ namespace rdr {
class TLSOutStream : public OutStream {
public:
- TLSOutStream(OutStream* out, gnutls_session session);
+ TLSOutStream(OutStream* out, gnutls_session_t session);
virtual ~TLSOutStream();
void flush();
@@ -43,9 +43,9 @@ namespace rdr {
private:
int writeTLS(const U8* data, int length);
- static ssize_t push(gnutls_transport_ptr str, const void* data, size_t size);
+ static ssize_t push(gnutls_transport_ptr_t str, const void* data, size_t size);
- gnutls_session session;
+ gnutls_session_t session;
OutStream* out;
int bufSize;
U8* start;
Index: tigervnc-1.4.3/common/rfb/CSecurityTLS.cxx
===================================================================
--- tigervnc-1.4.3.orig/common/rfb/CSecurityTLS.cxx
+++ tigervnc-1.4.3/common/rfb/CSecurityTLS.cxx
@@ -42,7 +42,6 @@
#include <rdr/TLSInStream.h>
#include <rdr/TLSOutStream.h>
#include <os/os.h>
-#include <os/tls.h>
#include <gnutls/x509.h>
@@ -202,13 +201,19 @@ bool CSecurityTLS::processMsg(CConnectio
void CSecurityTLS::setParam()
{
- static const int kx_anon_priority[] = { GNUTLS_KX_ANON_DH, 0 };
- static const int kx_priority[] = { GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA,
- GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, 0 };
+ static const char kx_anon_priority[] = "NORMAL:+ANON-ECDH:+ANON-DH";
+ static const char kx_priority[] = "NORMAL";
+
+ int ret;
+ const char *err;
if (anon) {
- if (gnutls_kx_set_priority(session, kx_anon_priority) != GNUTLS_E_SUCCESS)
- throw AuthFailureException("gnutls_kx_set_priority failed");
+ ret = gnutls_priority_set_direct(session, kx_anon_priority, &err);
+ if (ret != GNUTLS_E_SUCCESS) {
+ if (ret == GNUTLS_E_INVALID_REQUEST)
+ vlog.error("GnuTLS priority syntax error at: %s", err);
+ throw AuthFailureException("gnutls_set_priority_direct failed");
+ }
if (gnutls_anon_allocate_client_credentials(&anon_cred) != GNUTLS_E_SUCCESS)
throw AuthFailureException("gnutls_anon_allocate_client_credentials failed");
@@ -218,8 +223,12 @@ void CSecurityTLS::setParam()
vlog.debug("Anonymous session has been set");
} else {
- if (gnutls_kx_set_priority(session, kx_priority) != GNUTLS_E_SUCCESS)
- throw AuthFailureException("gnutls_kx_set_priority failed");
+ ret = gnutls_priority_set_direct(session, kx_priority, &err);
+ if (ret != GNUTLS_E_SUCCESS) {
+ if (ret == GNUTLS_E_INVALID_REQUEST)
+ vlog.error("GnuTLS priority syntax error at: %s", err);
+ throw AuthFailureException("gnutls_set_priority_direct failed");
+ }
if (gnutls_certificate_allocate_credentials(&cert_cred) != GNUTLS_E_SUCCESS)
throw AuthFailureException("gnutls_certificate_allocate_credentials failed");
@@ -259,10 +268,10 @@ void CSecurityTLS::checkSession()
GNUTLS_CERT_SIGNER_NOT_FOUND |
GNUTLS_CERT_SIGNER_NOT_CA;
unsigned int status;
- const gnutls_datum *cert_list;
+ const gnutls_datum_t *cert_list;
unsigned int cert_list_size = 0;
int err;
- gnutls_datum info;
+ gnutls_datum_t info;
if (anon)
return;
@@ -298,7 +307,7 @@ void CSecurityTLS::checkSession()
throw AuthFailureException("empty certificate chain");
/* Process only server's certificate, not issuer's certificate */
- gnutls_x509_crt crt;
+ gnutls_x509_crt_t crt;
gnutls_x509_crt_init(&crt);
if (gnutls_x509_crt_import(crt, &cert_list[0], GNUTLS_X509_FMT_DER) < 0)
Index: tigervnc-1.4.3/common/rfb/CSecurityTLS.h
===================================================================
--- tigervnc-1.4.3.orig/common/rfb/CSecurityTLS.h
+++ tigervnc-1.4.3/common/rfb/CSecurityTLS.h
@@ -64,9 +64,9 @@ namespace rfb {
private:
static void initGlobal();
- gnutls_session session;
- gnutls_anon_client_credentials anon_cred;
- gnutls_certificate_credentials cert_cred;
+ gnutls_session_t session;
+ gnutls_anon_client_credentials_t anon_cred;
+ gnutls_certificate_credentials_t cert_cred;
bool anon;
char *cafile, *crlfile;
Index: tigervnc-1.4.3/common/rfb/SSecurityTLS.cxx
===================================================================
--- tigervnc-1.4.3.orig/common/rfb/SSecurityTLS.cxx
+++ tigervnc-1.4.3/common/rfb/SSecurityTLS.cxx
@@ -164,15 +164,22 @@ bool SSecurityTLS::processMsg(SConnectio
return true;
}
-void SSecurityTLS::setParams(gnutls_session session)
+void SSecurityTLS::setParams(gnutls_session_t session)
{
- static const int kx_anon_priority[] = { GNUTLS_KX_ANON_DH, 0 };
- static const int kx_priority[] = { GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA,
- GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, 0 };
+ static const char kx_anon_priority[] = "NORMAL:+ANON-ECDH:+ANON-DH";
+ static const char kx_priority[] = "NORMAL";
- if (gnutls_kx_set_priority(session, anon ? kx_anon_priority : kx_priority)
- != GNUTLS_E_SUCCESS)
- throw AuthFailureException("gnutls_kx_set_priority failed");
+ int ret;
+ const char *err;
+
+ ret = gnutls_priority_set_direct(session,
+ anon ? kx_anon_priority : kx_priority,
+ &err);
+ if (ret != GNUTLS_E_SUCCESS) {
+ if (ret == GNUTLS_E_INVALID_REQUEST)
+ vlog.error("GnuTLS priority syntax error at: %s", err);
+ throw AuthFailureException("gnutls_set_priority_direct failed");
+ }
if (gnutls_dh_params_init(&dh_params) != GNUTLS_E_SUCCESS)
throw AuthFailureException("gnutls_dh_params_init failed");
Index: tigervnc-1.4.3/common/rfb/SSecurityTLS.h
===================================================================
--- tigervnc-1.4.3.orig/common/rfb/SSecurityTLS.h
+++ tigervnc-1.4.3/common/rfb/SSecurityTLS.h
@@ -51,15 +51,15 @@ namespace rfb {
protected:
void shutdown();
- void setParams(gnutls_session session);
+ void setParams(gnutls_session_t session);
private:
static void initGlobal();
- gnutls_session session;
- gnutls_dh_params dh_params;
- gnutls_anon_server_credentials anon_cred;
- gnutls_certificate_credentials cert_cred;
+ gnutls_session_t session;
+ gnutls_dh_params_t dh_params;
+ gnutls_anon_server_credentials_t anon_cred;
+ gnutls_certificate_credentials_t cert_cred;
char *keyfile, *certfile;
int type;
Index: tigervnc-1.4.3/config.h.in
===================================================================
--- tigervnc-1.4.3.orig/config.h.in
+++ tigervnc-1.4.3/config.h.in
@@ -3,13 +3,6 @@
#cmakedefine HAVE_INET_ATON
#cmakedefine HAVE_GETADDRINFO
-#cmakedefine HAVE_GNUTLS_SET_GLOBAL_ERRNO
-#cmakedefine HAVE_GNUTLS_SET_ERRNO
-#cmakedefine HAVE_GNUTLS_X509_CRT_PRINT
-#cmakedefine HAVE_GNUTLS_X509_CRT_T
-#cmakedefine HAVE_GNUTLS_DATUM_T
-#cmakedefine HAVE_GNUTLS_PK_ALGORITHM_T
-#cmakedefine HAVE_GNUTLS_SIGN_ALGORITHM_T
#cmakedefine HAVE_FLTK_CLIPBOARD
#cmakedefine HAVE_FLTK_MEDIAKEYS
#cmakedefine HAVE_FLTK_FULLSCREEN

18
tigervnc.changes
View File

@ -1,3 +1,21 @@
-------------------------------------------------------------------
Wed Apr 15 10:39:07 UTC 2015 - dimstar@opensuse.org
- Add tigervnc-gnutls-3.4-required.patch: raise gnutls dependency
to 3.2. Simplifies code, but makes it build with gnutls 3.4.
Patch taken from Arch.
-------------------------------------------------------------------
Tue Apr 14 08:53:09 UTC 2015 - meissner@suse.com
- Updated to tigervnc 1.4.3
* Upstream patches applied to the underlying Xorg code base to mitigate
CVE-2015-0255 / bsc#915810.
* Fixes for performance regressions introduced in 1.4.0.
* Character encoding of clipboard text send by Java viewer now strictly
adheres to the RFB specification.
-------------------------------------------------------------------
Wed Apr 1 12:44:09 UTC 2015 - msrb@suse.com

18
tigervnc.spec
View File

@ -17,7 +17,7 @@
Name: tigervnc
Version: 1.4.1
Version: 1.4.3
Release: 0
Provides: tightvnc = 1.3.9
Obsoletes: tightvnc < 1.3.9
@ -86,12 +86,12 @@ BuildRequires: pkgconfig(xtrans) >= 1.2.2
Requires(post): update-alternatives
Requires(postun): update-alternatives
%endif
Url: http://sourceforge.net/apps/mediawiki/tigervnc/
Url: http://tigervnc.org/
BuildRoot: %{_tmppath}/%{name}-%{version}-build
Summary: A high-performance, platform-neutral implementation of VNC
License: GPL-2.0 and MIT
Group: System/X11/Servers/XF86_4
Source1: tigervnc-1.4.1.tar.gz
Source1: https://github.com/TigerVNC/tigervnc/archive/v%{version}.tar.gz
Source2: index.vnc
Source3: vnc.xinetd
Source4: 10-libvnc.conf
@ -111,6 +111,8 @@ Patch8: u_tigervnc-use_preferred_mode.patch
Patch9: u_tigervnc-cve-2014-8240.patch
Patch10: u_tigervnc-build-with-xserver-1.17.patch
Patch11: u_terminate_instead_of_ignoring_restart.patch
# Require and build against gnutls 3.x
Patch12: tigervnc-gnutls-3.4-required.patch
%description
TigerVNC is a high-performance, platform-neutral implementation of VNC (Virtual Network Computing),
@ -129,7 +131,7 @@ Group: System/X11/Servers/XF86_4
This is the TigerVNC implementation of Xvnc.
%prep
%setup -T -b1
%setup -T -b1 -q
cp -r /usr/src/xserver/* unix/xserver/
%patch1 -p1
@ -143,6 +145,7 @@ cp -r /usr/src/xserver/* unix/xserver/
%patch9 -p1
%patch10 -p1
%patch11 -p1
%patch12 -p1
pushd unix/xserver
patch -p1 < ../xserver116.patch
@ -213,6 +216,8 @@ ln -s -f %{_sysconfdir}/alternatives/vncviewer $RPM_BUILD_ROOT%{_bindir}/vncview
ln -s -f %{_sysconfdir}/alternatives/vncviewer.1.gz $RPM_BUILD_ROOT%{_mandir}/man1/vncviewer.1.gz
%endif
rm -rf $RPM_BUILD_ROOT/usr/share/doc/tigervnc-*
%find_lang '%{name}'
%if 0%{?suse_version} >= 1315
@ -233,9 +238,7 @@ fi
%defattr(-,root,root,-)
%ghost %{_bindir}/vncviewer
%{_bindir}/vncviewer-tigervnc
%exclude /usr/share/doc/tigervnc-1.4.1
%doc LICENCE.TXT
%doc README.txt
%doc LICENCE.TXT README.txt
%ghost %_mandir/man1/vncviewer.1.gz
%doc %_mandir/man1/vncviewer-tigervnc.1.gz
%if 0%{?suse_version} >= 1315
@ -244,6 +247,7 @@ fi
%endif
%files -n xorg-x11-Xvnc
%doc LICENCE.TXT README.txt
%defattr(-,root,root)
%{_bindir}/Xvnc

3
v1.4.3.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:0b2603db2b32dfd6e48f6f59618bd9819d187bfbb0c16218637d074a69756824
size 1372873