From 48606d2a2fff2e7d854ebc267a50763875c9629d57bb11da54bcb62550238aaa Mon Sep 17 00:00:00 2001 From: Michal Srb Date: Thu, 16 Jul 2015 11:25:43 +0000 Subject: [PATCH] Fix warnings. OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/tigervnc?expand=0&rev=59 --- tigervnc-gnutls-3.4-required.patch | 719 ------------------ tigervnc.changes | 3 + u_terminate_instead_of_ignoring_restart.patch | 23 - u_tigervnc-add-cadata-parameter.patch | 116 --- ...c-dont-send-ascii-control-characters.patch | 24 - 5 files changed, 3 insertions(+), 882 deletions(-) delete mode 100644 tigervnc-gnutls-3.4-required.patch delete mode 100644 u_terminate_instead_of_ignoring_restart.patch delete mode 100644 u_tigervnc-add-cadata-parameter.patch delete mode 100644 u_tigervnc-dont-send-ascii-control-characters.patch diff --git a/tigervnc-gnutls-3.4-required.patch b/tigervnc-gnutls-3.4-required.patch deleted file mode 100644 index 529bd29..0000000 --- a/tigervnc-gnutls-3.4-required.patch +++ /dev/null @@ -1,719 +0,0 @@ -From 88c24edd8f7a793561104be50b6ecf2c85b42956 Mon Sep 17 00:00:00 2001 -From: Pierre Ossman -Date: Thu, 29 Jan 2015 13:12:22 +0100 -Subject: [PATCH] Raise GnuTLS requirements to 3.x - -This allows us to simplify things by getting rid of some old -compatibility code. People should really be using current versions -of GnuTLS anyway to stay secure. ---- - BUILDING.txt | 2 +- - CMakeLists.txt | 24 ------ - common/os/CMakeLists.txt | 3 +- - common/os/tls.cxx | 198 -------------------------------------------- - common/os/tls.h | 59 ------------- - common/rdr/TLSErrno.h | 46 ---------- - common/rdr/TLSInStream.cxx | 11 ++- - common/rdr/TLSInStream.h | 6 +- - common/rdr/TLSOutStream.cxx | 9 +- - common/rdr/TLSOutStream.h | 6 +- - common/rfb/CSecurityTLS.cxx | 31 ++++--- - common/rfb/CSecurityTLS.h | 6 +- - common/rfb/SSecurityTLS.cxx | 23 +++-- - common/rfb/SSecurityTLS.h | 10 +-- - config.h.in | 7 -- - 15 files changed, 60 insertions(+), 381 deletions(-) - delete mode 100644 common/os/tls.cxx - delete mode 100644 common/os/tls.h - delete mode 100644 common/rdr/TLSErrno.h - -Index: tigervnc-1.4.3/BUILDING.txt -=================================================================== ---- tigervnc-1.4.3.orig/BUILDING.txt -+++ tigervnc-1.4.3/BUILDING.txt -@@ -14,7 +14,7 @@ Build Requirements (All Systems) - * See "Building FLTK" below. - - -- If building TLS support: -- * GnuTLS -+ * GnuTLS 3.x - * See "Building TLS Support" below. - - -- If building native language support (NLS): -Index: tigervnc-1.4.3/CMakeLists.txt -=================================================================== ---- tigervnc-1.4.3.orig/CMakeLists.txt -+++ tigervnc-1.4.3/CMakeLists.txt -@@ -270,30 +270,6 @@ if(ENABLE_GNUTLS) - include_directories(${GNUTLS_INCLUDE_DIR}) - add_definitions("-DHAVE_GNUTLS") - add_definitions(${GNUTLS_DEFINITIONS}) -- -- # Detect old version of GnuTLS -- set(CMAKE_REQUIRED_FLAGS -I${GNUTLS_INCLUDE_DIR}) -- set(CMAKE_EXTRA_INCLUDE_FILES gnutls/gnutls.h) -- set(CMAKE_REQUIRED_LIBRARIES ${GNUTLS_LIBRARIES}) -- if(WIN32) -- set(CMAKE_REQUIRED_LIBRARIES ${CMAKE_REQUIRED_LIBRARIES} ws2_32 user32) -- endif() -- if(ZLIB_FOUND) -- # When we build against the static version of GnuTLS, we also use the -- # included version of Zlib, but it isn't built yet, so we have to use the -- # system's version (if available) to perform this test. -- set(CMAKE_REQUIRED_LIBRARIES ${CMAKE_REQUIRED_LIBRARIES};-lz) -- endif() -- check_function_exists(gnutls_transport_set_errno HAVE_GNUTLS_SET_ERRNO) -- check_function_exists(gnutls_transport_set_global_errno HAVE_GNUTLS_SET_GLOBAL_ERRNO) -- check_function_exists(gnutls_x509_crt_print HAVE_GNUTLS_X509_CRT_PRINT) -- check_type_size(gnutls_x509_crt_t GNUTLS_X509_CRT_T) -- check_type_size(gnutls_datum_t GNUTLS_DATUM_T) -- check_type_size(gnutls_pk_algorithm_t GNUTLS_PK_ALGORITHM_T) -- check_type_size(gnutls_sign_algorithm_t GNUTLS_SIGN_ALGORITHM_T) -- set(CMAKE_REQUIRED_FLAGS) -- set(CMAKE_EXTRA_INCLUDE_FILES) -- set(CMAKE_REQUIRED_LIBRARIES) - endif() - endif() - -Index: tigervnc-1.4.3/common/os/CMakeLists.txt -=================================================================== ---- tigervnc-1.4.3.orig/common/os/CMakeLists.txt -+++ tigervnc-1.4.3/common/os/CMakeLists.txt -@@ -2,8 +2,7 @@ include_directories(${CMAKE_SOURCE_DIR}/ - - add_library(os STATIC - w32tiger.c -- os.cxx -- tls.cxx) -+ os.cxx) - - if(UNIX) - libtool_create_control_file(os) -Index: tigervnc-1.4.3/common/os/tls.cxx -=================================================================== ---- tigervnc-1.4.3.orig/common/os/tls.cxx -+++ /dev/null -@@ -1,198 +0,0 @@ --/* Copyright (C) 2011 TightVNC Team. All Rights Reserved. -- * -- * This is free software; you can redistribute it and/or modify -- * it under the terms of the GNU General Public License as published by -- * the Free Software Foundation; either version 2 of the License, or -- * (at your option) any later version. -- * -- * This software is distributed in the hope that it will be useful, -- * but WITHOUT ANY WARRANTY; without even the implied warranty of -- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -- * GNU General Public License for more details. -- * -- * You should have received a copy of the GNU General Public License -- * along with this software; if not, write to the Free Software -- * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, -- * USA. -- */ -- --#ifdef HAVE_CONFIG_H --#include --#endif -- --#include -- --#include --#include --#include --#include --#include --#include --#include -- --using namespace std; -- --#if defined(HAVE_GNUTLS) && !defined(WIN32) --#include --#include -- --#ifndef HAVE_GNUTLS_X509_CRT_PRINT -- --/* Ancient GNUTLS... */ --#if !defined(GNUTLS_VERSION_NUMBER) && !defined(LIBGNUTLS_VERSION_NUMBER) --#define GNUTLS_DIG_SHA1 GNUTLS_DIG_SHA --#endif -- --#define UNKNOWN_SUBJECT(err) \ -- do { \ -- ss << "unknown subject (" << gnutls_strerror(err) << "), "; \ -- } while (0) -- --#define UNKNOWN_ISSUER(err) \ -- do { \ -- ss << "unknown issuer (" << gnutls_strerror(err) << "), "; \ -- } while (0) -- -- --static void --hexprint(ostringstream &ss, const char *data, size_t len) --{ -- size_t j; -- char tmp[3]; -- -- if (len == 0) -- ss << "00"; -- else { -- for (j = 0; j < len; j++) { -- snprintf(tmp, sizeof(tmp), "%.2x", (unsigned char) data[j]); -- ss << tmp; -- } -- } --} -- --/* Implementation based on gnutls_x509_crt_print from GNUTLS */ --int --gnutls_x509_crt_print(gnutls_x509_crt_t cert, -- gnutls_certificate_print_formats_t format, -- gnutls_datum_t * out) --{ -- ostringstream ss; -- -- int err; -- -- char *dn; -- size_t dn_size = 0; -- -- /* Subject */ -- err = gnutls_x509_crt_get_dn(cert, NULL, &dn_size); -- if (err != GNUTLS_E_SHORT_MEMORY_BUFFER) -- UNKNOWN_SUBJECT(err); -- else { -- dn = (char *)malloc(dn_size); -- if (dn == NULL) { -- UNKNOWN_SUBJECT(GNUTLS_E_MEMORY_ERROR); -- } else { -- err = gnutls_x509_crt_get_dn(cert, dn, &dn_size); -- if (err < 0) { -- UNKNOWN_SUBJECT(err); -- } else -- ss << "subject `" << dn << "', "; -- free(dn); -- } -- } -- -- /* Issuer */ -- dn = NULL; -- dn_size = 0; -- err = gnutls_x509_crt_get_issuer_dn(cert, NULL, &dn_size); -- if (err != GNUTLS_E_SHORT_MEMORY_BUFFER) -- UNKNOWN_ISSUER(err); -- else { -- dn = (char *)malloc(dn_size); -- if (dn == NULL) { -- UNKNOWN_ISSUER(GNUTLS_E_MEMORY_ERROR); -- } else { -- err = gnutls_x509_crt_get_issuer_dn(cert, dn, &dn_size); -- if (err < 0) -- UNKNOWN_ISSUER(err); -- else -- ss << "issuer `" << dn << "', "; -- free(dn); -- } -- } -- -- /* Key algorithm and size */ -- unsigned int bits; -- const char *name; -- name = gnutls_pk_algorithm_get_name( (gnutls_pk_algorithm_t) -- gnutls_x509_crt_get_pk_algorithm(cert, &bits)); -- if (name == NULL) -- name = "Unknown"; -- ss << name << " key " << bits << " bits, "; -- -- /* Signature algorithm */ -- err = gnutls_x509_crt_get_signature_algorithm(cert); -- if (err < 0) { -- ss << "unknown signature algorithm (" << gnutls_strerror(err) -- << "), "; -- } else { -- const char *name; -- name = gnutls_sign_algorithm_get_name((gnutls_sign_algorithm_t)err); -- if (name == NULL) -- name = "Unknown"; -- -- ss << "signed using " << name; -- if (err == GNUTLS_SIGN_RSA_MD5 || err == GNUTLS_SIGN_RSA_MD2) -- ss << " (broken!)"; -- ss << ", "; -- } -- -- /* Validity */ -- time_t tim; -- char s[42]; -- size_t max = sizeof(s); -- struct tm t; -- -- tim = gnutls_x509_crt_get_activation_time(cert); -- if (gmtime_r(&tim, &t) == NULL) -- ss << "unknown activation (" << (unsigned long) tim << ")"; -- else if (strftime(s, max, "%Y-%m-%d %H:%M:%S UTC", &t) == 0) -- ss << "failed activation (" << (unsigned long) tim << ")"; -- else -- ss << "activated `" << s << "'"; -- ss << ", "; -- -- tim = gnutls_x509_crt_get_expiration_time(cert); -- if (gmtime_r(&tim, &t) == NULL) -- ss << "unknown expiry (" << (unsigned long) tim << ")"; -- else if (strftime(s, max, "%Y-%m-%d %H:%M:%S UTC", &t) == 0) -- ss << "failed expiry (" << (unsigned long) tim << ")"; -- else -- ss << "expires `" << s << "'"; -- ss << ", "; -- -- /* Fingerprint */ -- char buffer[20]; -- size_t size = sizeof(buffer); -- -- err = gnutls_x509_crt_get_fingerprint(cert, GNUTLS_DIG_SHA1, buffer, &size); -- if (err < 0) -- ss << "unknown fingerprint (" << gnutls_strerror(err) << ")"; -- else { -- ss << "SHA-1 fingerprint `"; -- hexprint(ss, buffer, size); -- ss << "'"; -- } -- -- out->data = (unsigned char *) strdup(ss.str().c_str()); -- if (out->data == NULL) -- return GNUTLS_E_MEMORY_ERROR; -- out->size = strlen((char *)out->data); -- -- return 0; --} -- --#endif /* HAVE_GNUTLS_X509_CRT_PRINT */ -- --#endif /* HAVE_GNUTLS */ -- -Index: tigervnc-1.4.3/common/os/tls.h -=================================================================== ---- tigervnc-1.4.3.orig/common/os/tls.h -+++ /dev/null -@@ -1,59 +0,0 @@ --/* Copyright (C) 2011 TightVNC Team. All Rights Reserved. -- * -- * This is free software; you can redistribute it and/or modify -- * it under the terms of the GNU General Public License as published by -- * the Free Software Foundation; either version 2 of the License, or -- * (at your option) any later version. -- * -- * This software is distributed in the hope that it will be useful, -- * but WITHOUT ANY WARRANTY; without even the implied warranty of -- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -- * GNU General Public License for more details. -- * -- * You should have received a copy of the GNU General Public License -- * along with this software; if not, write to the Free Software -- * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, -- * USA. -- */ -- --#ifndef OS_TLS_H --#define OS_TLS_H -- --#ifdef HAVE_CONFIG_H --#include --#endif -- --#if defined(HAVE_GNUTLS) --#include -- --#ifndef HAVE_GNUTLS_DATUM_T --typedef gnutls_datum gnutls_datum_t; --#endif --#ifndef HAVE_GNUTLS_X509_CRT_T --typedef gnutls_x509_crt gnutls_x509_crt_t; --#endif --#ifndef HAVE_GNUTLS_PK_ALGORITHM_T --typedef gnutls_pk_algorithm gnutls_pk_algorithm_t; --#endif --#ifndef HAVE_GNUTLS_SIGN_ALGORITHM_T --typedef gnutls_sign_algorithm gnutls_sign_algorithm_t; --#endif -- --#ifndef HAVE_GNUTLS_X509_CRT_PRINT -- --typedef enum { -- GNUTLS_CRT_PRINT_ONELINE = 1 --} gnutls_certificate_print_formats_t; -- --/* -- * Prints certificate in human-readable form. -- */ --int --gnutls_x509_crt_print(gnutls_x509_crt_t cert, -- gnutls_certificate_print_formats_t format, -- gnutls_datum_t * out); --#endif /* HAVE_GNUTLS_X509_CRT_PRINT */ --#endif /* HAVE_GNUTLS */ -- --#endif /* OS_TLS_H */ -- -Index: tigervnc-1.4.3/common/rdr/TLSErrno.h -=================================================================== ---- tigervnc-1.4.3.orig/common/rdr/TLSErrno.h -+++ /dev/null -@@ -1,46 +0,0 @@ --/* Copyright (C) 2012 Pierre Ossman for Cendio AB -- * -- * This is free software; you can redistribute it and/or modify -- * it under the terms of the GNU General Public License as published by -- * the Free Software Foundation; either version 2 of the License, or -- * (at your option) any later version. -- * -- * This software is distributed in the hope that it will be useful, -- * but WITHOUT ANY WARRANTY; without even the implied warranty of -- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -- * GNU General Public License for more details. -- * -- * You should have received a copy of the GNU General Public License -- * along with this software; if not, write to the Free Software -- * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, -- * USA. -- */ -- --#ifndef __RDR_TLSERRNO_H__ --#define __RDR_TLSERRNO_H__ -- --#ifdef HAVE_CONFIG_H --#include --#endif -- --#ifdef HAVE_GNUTLS -- --#include -- --namespace rdr { -- -- static inline void gnutls_errno_helper(gnutls_session session, int _errno) -- { --#if defined(HAVE_GNUTLS_SET_ERRNO) -- gnutls_transport_set_errno(session, _errno); --#elif defined(HAVE_GNUTLS_SET_GLOBAL_ERRNO) -- gnutls_transport_set_global_errno(_errno); --#else -- errno = _errno; --#endif -- } --}; -- --#endif -- --#endif -Index: tigervnc-1.4.3/common/rdr/TLSInStream.cxx -=================================================================== ---- tigervnc-1.4.3.orig/common/rdr/TLSInStream.cxx -+++ tigervnc-1.4.3/common/rdr/TLSInStream.cxx -@@ -25,7 +25,6 @@ - #include - #include - #include --#include - #include - - #ifdef HAVE_GNUTLS -@@ -33,14 +32,14 @@ using namespace rdr; - - enum { DEFAULT_BUF_SIZE = 16384 }; - --ssize_t TLSInStream::pull(gnutls_transport_ptr str, void* data, size_t size) -+ssize_t TLSInStream::pull(gnutls_transport_ptr_t str, void* data, size_t size) - { - TLSInStream* self= (TLSInStream*) str; - InStream *in = self->in; - - try { - if (!in->check(1, 1, false)) { -- gnutls_errno_helper(self->session, EAGAIN); -+ gnutls_transport_set_errno(self->session, EAGAIN); - return -1; - } - -@@ -50,17 +49,17 @@ ssize_t TLSInStream::pull(gnutls_transpo - in->readBytes(data, size); - - } catch (Exception& e) { -- gnutls_errno_helper(self->session, EINVAL); -+ gnutls_transport_set_errno(self->session, EINVAL); - return -1; - } - - return size; - } - --TLSInStream::TLSInStream(InStream* _in, gnutls_session _session) -+TLSInStream::TLSInStream(InStream* _in, gnutls_session_t _session) - : session(_session), in(_in), bufSize(DEFAULT_BUF_SIZE), offset(0) - { -- gnutls_transport_ptr recv, send; -+ gnutls_transport_ptr_t recv, send; - - ptr = end = start = new U8[bufSize]; - -Index: tigervnc-1.4.3/common/rdr/TLSInStream.h -=================================================================== ---- tigervnc-1.4.3.orig/common/rdr/TLSInStream.h -+++ tigervnc-1.4.3/common/rdr/TLSInStream.h -@@ -33,7 +33,7 @@ namespace rdr { - - class TLSInStream : public InStream { - public: -- TLSInStream(InStream* in, gnutls_session session); -+ TLSInStream(InStream* in, gnutls_session_t session); - virtual ~TLSInStream(); - - int pos(); -@@ -41,9 +41,9 @@ namespace rdr { - private: - int overrun(int itemSize, int nItems, bool wait); - int readTLS(U8* buf, int len, bool wait); -- static ssize_t pull(gnutls_transport_ptr str, void* data, size_t size); -+ static ssize_t pull(gnutls_transport_ptr_t str, void* data, size_t size); - -- gnutls_session session; -+ gnutls_session_t session; - InStream* in; - int bufSize; - int offset; -Index: tigervnc-1.4.3/common/rdr/TLSOutStream.cxx -=================================================================== ---- tigervnc-1.4.3.orig/common/rdr/TLSOutStream.cxx -+++ tigervnc-1.4.3/common/rdr/TLSOutStream.cxx -@@ -25,7 +25,6 @@ - #include - #include - #include --#include - #include - - #ifdef HAVE_GNUTLS -@@ -33,7 +32,7 @@ using namespace rdr; - - enum { DEFAULT_BUF_SIZE = 16384 }; - --ssize_t TLSOutStream::push(gnutls_transport_ptr str, const void* data, -+ssize_t TLSOutStream::push(gnutls_transport_ptr_t str, const void* data, - size_t size) - { - TLSOutStream* self= (TLSOutStream*) str; -@@ -43,17 +42,17 @@ ssize_t TLSOutStream::push(gnutls_transp - out->writeBytes(data, size); - out->flush(); - } catch (Exception& e) { -- gnutls_errno_helper(self->session, EINVAL); -+ gnutls_transport_set_errno(self->session, EINVAL); - return -1; - } - - return size; - } - --TLSOutStream::TLSOutStream(OutStream* _out, gnutls_session _session) -+TLSOutStream::TLSOutStream(OutStream* _out, gnutls_session_t _session) - : session(_session), out(_out), bufSize(DEFAULT_BUF_SIZE), offset(0) - { -- gnutls_transport_ptr recv, send; -+ gnutls_transport_ptr_t recv, send; - - ptr = start = new U8[bufSize]; - end = start + bufSize; -Index: tigervnc-1.4.3/common/rdr/TLSOutStream.h -=================================================================== ---- tigervnc-1.4.3.orig/common/rdr/TLSOutStream.h -+++ tigervnc-1.4.3/common/rdr/TLSOutStream.h -@@ -32,7 +32,7 @@ namespace rdr { - - class TLSOutStream : public OutStream { - public: -- TLSOutStream(OutStream* out, gnutls_session session); -+ TLSOutStream(OutStream* out, gnutls_session_t session); - virtual ~TLSOutStream(); - - void flush(); -@@ -43,9 +43,9 @@ namespace rdr { - - private: - int writeTLS(const U8* data, int length); -- static ssize_t push(gnutls_transport_ptr str, const void* data, size_t size); -+ static ssize_t push(gnutls_transport_ptr_t str, const void* data, size_t size); - -- gnutls_session session; -+ gnutls_session_t session; - OutStream* out; - int bufSize; - U8* start; -Index: tigervnc-1.4.3/common/rfb/CSecurityTLS.cxx -=================================================================== ---- tigervnc-1.4.3.orig/common/rfb/CSecurityTLS.cxx -+++ tigervnc-1.4.3/common/rfb/CSecurityTLS.cxx -@@ -42,7 +42,6 @@ - #include - #include - #include --#include - - #include - -@@ -202,13 +201,19 @@ bool CSecurityTLS::processMsg(CConnectio - - void CSecurityTLS::setParam() - { -- static const int kx_anon_priority[] = { GNUTLS_KX_ANON_DH, 0 }; -- static const int kx_priority[] = { GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA, -- GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, 0 }; -+ static const char kx_anon_priority[] = "NORMAL:+ANON-ECDH:+ANON-DH"; -+ static const char kx_priority[] = "NORMAL"; -+ -+ int ret; -+ const char *err; - - if (anon) { -- if (gnutls_kx_set_priority(session, kx_anon_priority) != GNUTLS_E_SUCCESS) -- throw AuthFailureException("gnutls_kx_set_priority failed"); -+ ret = gnutls_priority_set_direct(session, kx_anon_priority, &err); -+ if (ret != GNUTLS_E_SUCCESS) { -+ if (ret == GNUTLS_E_INVALID_REQUEST) -+ vlog.error("GnuTLS priority syntax error at: %s", err); -+ throw AuthFailureException("gnutls_set_priority_direct failed"); -+ } - - if (gnutls_anon_allocate_client_credentials(&anon_cred) != GNUTLS_E_SUCCESS) - throw AuthFailureException("gnutls_anon_allocate_client_credentials failed"); -@@ -218,8 +223,12 @@ void CSecurityTLS::setParam() - - vlog.debug("Anonymous session has been set"); - } else { -- if (gnutls_kx_set_priority(session, kx_priority) != GNUTLS_E_SUCCESS) -- throw AuthFailureException("gnutls_kx_set_priority failed"); -+ ret = gnutls_priority_set_direct(session, kx_priority, &err); -+ if (ret != GNUTLS_E_SUCCESS) { -+ if (ret == GNUTLS_E_INVALID_REQUEST) -+ vlog.error("GnuTLS priority syntax error at: %s", err); -+ throw AuthFailureException("gnutls_set_priority_direct failed"); -+ } - - if (gnutls_certificate_allocate_credentials(&cert_cred) != GNUTLS_E_SUCCESS) - throw AuthFailureException("gnutls_certificate_allocate_credentials failed"); -@@ -259,10 +268,10 @@ void CSecurityTLS::checkSession() - GNUTLS_CERT_SIGNER_NOT_FOUND | - GNUTLS_CERT_SIGNER_NOT_CA; - unsigned int status; -- const gnutls_datum *cert_list; -+ const gnutls_datum_t *cert_list; - unsigned int cert_list_size = 0; - int err; -- gnutls_datum info; -+ gnutls_datum_t info; - - if (anon) - return; -@@ -298,7 +307,7 @@ void CSecurityTLS::checkSession() - throw AuthFailureException("empty certificate chain"); - - /* Process only server's certificate, not issuer's certificate */ -- gnutls_x509_crt crt; -+ gnutls_x509_crt_t crt; - gnutls_x509_crt_init(&crt); - - if (gnutls_x509_crt_import(crt, &cert_list[0], GNUTLS_X509_FMT_DER) < 0) -Index: tigervnc-1.4.3/common/rfb/CSecurityTLS.h -=================================================================== ---- tigervnc-1.4.3.orig/common/rfb/CSecurityTLS.h -+++ tigervnc-1.4.3/common/rfb/CSecurityTLS.h -@@ -64,9 +64,9 @@ namespace rfb { - private: - static void initGlobal(); - -- gnutls_session session; -- gnutls_anon_client_credentials anon_cred; -- gnutls_certificate_credentials cert_cred; -+ gnutls_session_t session; -+ gnutls_anon_client_credentials_t anon_cred; -+ gnutls_certificate_credentials_t cert_cred; - bool anon; - - char *cafile, *crlfile; -Index: tigervnc-1.4.3/common/rfb/SSecurityTLS.cxx -=================================================================== ---- tigervnc-1.4.3.orig/common/rfb/SSecurityTLS.cxx -+++ tigervnc-1.4.3/common/rfb/SSecurityTLS.cxx -@@ -164,15 +164,22 @@ bool SSecurityTLS::processMsg(SConnectio - return true; - } - --void SSecurityTLS::setParams(gnutls_session session) -+void SSecurityTLS::setParams(gnutls_session_t session) - { -- static const int kx_anon_priority[] = { GNUTLS_KX_ANON_DH, 0 }; -- static const int kx_priority[] = { GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA, -- GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, 0 }; -+ static const char kx_anon_priority[] = "NORMAL:+ANON-ECDH:+ANON-DH"; -+ static const char kx_priority[] = "NORMAL"; - -- if (gnutls_kx_set_priority(session, anon ? kx_anon_priority : kx_priority) -- != GNUTLS_E_SUCCESS) -- throw AuthFailureException("gnutls_kx_set_priority failed"); -+ int ret; -+ const char *err; -+ -+ ret = gnutls_priority_set_direct(session, -+ anon ? kx_anon_priority : kx_priority, -+ &err); -+ if (ret != GNUTLS_E_SUCCESS) { -+ if (ret == GNUTLS_E_INVALID_REQUEST) -+ vlog.error("GnuTLS priority syntax error at: %s", err); -+ throw AuthFailureException("gnutls_set_priority_direct failed"); -+ } - - if (gnutls_dh_params_init(&dh_params) != GNUTLS_E_SUCCESS) - throw AuthFailureException("gnutls_dh_params_init failed"); -Index: tigervnc-1.4.3/common/rfb/SSecurityTLS.h -=================================================================== ---- tigervnc-1.4.3.orig/common/rfb/SSecurityTLS.h -+++ tigervnc-1.4.3/common/rfb/SSecurityTLS.h -@@ -51,15 +51,15 @@ namespace rfb { - - protected: - void shutdown(); -- void setParams(gnutls_session session); -+ void setParams(gnutls_session_t session); - - private: - static void initGlobal(); - -- gnutls_session session; -- gnutls_dh_params dh_params; -- gnutls_anon_server_credentials anon_cred; -- gnutls_certificate_credentials cert_cred; -+ gnutls_session_t session; -+ gnutls_dh_params_t dh_params; -+ gnutls_anon_server_credentials_t anon_cred; -+ gnutls_certificate_credentials_t cert_cred; - char *keyfile, *certfile; - - int type; -Index: tigervnc-1.4.3/config.h.in -=================================================================== ---- tigervnc-1.4.3.orig/config.h.in -+++ tigervnc-1.4.3/config.h.in -@@ -3,13 +3,6 @@ - - #cmakedefine HAVE_INET_ATON - #cmakedefine HAVE_GETADDRINFO --#cmakedefine HAVE_GNUTLS_SET_GLOBAL_ERRNO --#cmakedefine HAVE_GNUTLS_SET_ERRNO --#cmakedefine HAVE_GNUTLS_X509_CRT_PRINT --#cmakedefine HAVE_GNUTLS_X509_CRT_T --#cmakedefine HAVE_GNUTLS_DATUM_T --#cmakedefine HAVE_GNUTLS_PK_ALGORITHM_T --#cmakedefine HAVE_GNUTLS_SIGN_ALGORITHM_T - #cmakedefine HAVE_FLTK_CLIPBOARD - #cmakedefine HAVE_FLTK_MEDIAKEYS - #cmakedefine HAVE_FLTK_FULLSCREEN diff --git a/tigervnc.changes b/tigervnc.changes index 0eaa7f5..d801bd9 100644 --- a/tigervnc.changes +++ b/tigervnc.changes @@ -7,6 +7,9 @@ Wed Jul 15 11:52:02 UTC 2015 - msrb@suse.com * u_syslog.patch * u_tigervnc-build-with-xserver-1.17.patch - Use encryption everywhere. (fate#318936) + * u_tigervnc-display-SHA-1-fingerprint-of-untrusted-certificate.patch + * u_tigervnc-use-default-trust-manager-in-java-viewer-if-custom.patch + * u_tigervnc-add-autoaccept-parameter.patch - Work with fltk 1.3.2. * N_tigervnc_revert_fltk_1_3_3_requirements.patch diff --git a/u_terminate_instead_of_ignoring_restart.patch b/u_terminate_instead_of_ignoring_restart.patch deleted file mode 100644 index d15e0db..0000000 --- a/u_terminate_instead_of_ignoring_restart.patch +++ /dev/null @@ -1,23 +0,0 @@ -Author: Michal Srb -Subject: Terminate instead of ignoring reset -Patch-Mainline: To be upstreamed -References: bnc#920969 - -Index: tigervnc-1.3.0/unix/xserver/hw/vnc/xvnc.cc -=================================================================== ---- tigervnc-1.3.0.orig/unix/xserver/hw/vnc/xvnc.cc -+++ tigervnc-1.3.0/unix/xserver/hw/vnc/xvnc.cc -@@ -1607,7 +1607,12 @@ vfbScreenInit(ScreenPtr pScreen, int arg - - - static void vfbClientStateChange(CallbackListPtr*, void *, void *) { -- dispatchException &= ~DE_RESET; -+ if (dispatchException & DE_RESET) { -+ ErrorF("Warning: VNC extension does not support -reset, terminating instead. Use -noreset to prevent termination.\n"); -+ -+ dispatchException |= DE_TERMINATE; -+ dispatchException &= ~DE_RESET; -+ } - } - - #if XORG >= 113 diff --git a/u_tigervnc-add-cadata-parameter.patch b/u_tigervnc-add-cadata-parameter.patch deleted file mode 100644 index f651691..0000000 --- a/u_tigervnc-add-cadata-parameter.patch +++ /dev/null @@ -1,116 +0,0 @@ -diff --git a/java/com/tigervnc/rfb/CSecurityTLS.java b/java/com/tigervnc/rfb/CSecurityTLS.java -index 6014502..9b886b5 100644 ---- a/java/com/tigervnc/rfb/CSecurityTLS.java -+++ b/java/com/tigervnc/rfb/CSecurityTLS.java -@@ -47,6 +47,9 @@ public class CSecurityTLS extends CSecurity { - public static StringParameter x509crl - = new StringParameter("x509crl", - "X509 CRL file", "", Configuration.ConfigurationObject.ConfViewer); -+ public static StringParameter x509autoaccept -+ = new StringParameter("x509autoaccept", -+ "X509 Certificate SHA-1 fingerprint", "", Configuration.ConfigurationObject.ConfViewer); - - private void initGlobal() - { -@@ -71,6 +74,7 @@ public class CSecurityTLS extends CSecurity { - setDefaults(); - cafile = x509ca.getData(); - crlfile = x509crl.getData(); -+ certautoaccept = x509autoaccept.getData(); - } - - public static String getDefaultCA() { -@@ -247,34 +251,46 @@ public class CSecurityTLS extends CSecurity { - try { - tm.checkServerTrusted(chain, authType); - } catch (CertificateException e) { -- Object[] answer = {"Proceed", "Exit"}; -- -- StringBuilder message = new StringBuilder(); -- message.append(e.getCause().getLocalizedMessage()); -- message.append("\nContinue connecting to this host?"); -+ String fingerprint = null; - - try { -+ StringBuilder fingerprintBuilder = new StringBuilder(); -+ - MessageDigest sha1 = MessageDigest.getInstance("SHA1"); - sha1.update(chain[0].getEncoded()); - -- message.append("\nSHA-1 fingerprint: "); -- - for(byte B : sha1.digest()) { -- message.append(Integer.toHexString(0xff & B)); -- message.append(':'); -+ fingerprintBuilder.append(String.format("%02x", /*0xff & */B)); -+ fingerprintBuilder.append(':'); - } -- message.deleteCharAt(message.length() - 1); -+ fingerprintBuilder.deleteCharAt(fingerprintBuilder.length() - 1); -+ -+ fingerprint = fingerprintBuilder.toString(); - } catch (NoSuchAlgorithmException noSuchAlgorithmException) { - // No fingerprint then... - } - -- int ret = JOptionPane.showOptionDialog(null, -- message.toString(), -- "Confirm certificate exception?", -- JOptionPane.YES_NO_OPTION, JOptionPane.WARNING_MESSAGE, -- null, answer, answer[0]); -- if (ret == JOptionPane.NO_OPTION) -- System.exit(1); -+ if(fingerprint == null || certautoaccept == null || !fingerprint.equalsIgnoreCase(certautoaccept)) { -+ Object[] answer = {"Proceed", "Exit"}; -+ -+ StringBuilder message = new StringBuilder(); -+ message.append(e.getCause().getLocalizedMessage()); -+ message.append("\nContinue connecting to this host?"); -+ if(fingerprint != null) { -+ message.append("\nSHA-1 fingerprint: "); -+ message.append(fingerprint); -+ message.append("\nBle: "); -+ message.append(certautoaccept); -+ } -+ -+ int ret = JOptionPane.showOptionDialog(null, -+ message.toString(), -+ "Confirm certificate exception?", -+ JOptionPane.YES_NO_OPTION, JOptionPane.WARNING_MESSAGE, -+ null, answer, answer[0]); -+ if (ret == JOptionPane.NO_OPTION) -+ System.exit(1); -+ } - } catch (java.lang.Exception e) { - throw new Exception(e.toString()); - } -@@ -301,7 +317,7 @@ public class CSecurityTLS extends CSecurity { - private SSLEngineManager manager; - private boolean anon; - -- private String cafile, crlfile; -+ private String cafile, crlfile, certautoaccept; - private FdInStream is; - private FdOutStream os; - -diff --git a/java/com/tigervnc/vncviewer/VncViewer.java b/java/com/tigervnc/vncviewer/VncViewer.java -index cc21c2e..6786636 100644 ---- a/java/com/tigervnc/vncviewer/VncViewer.java -+++ b/java/com/tigervnc/vncviewer/VncViewer.java -@@ -354,6 +354,8 @@ public class VncViewer extends javax.swing.JApplet - parent.setFocusTraversalKeysEnabled(false); - setLookAndFeel(); - setBackground(Color.white); -+ -+ SecurityClient.setDefaults(); - } - - private void getTimestamp() { -@@ -375,6 +377,7 @@ public class VncViewer extends javax.swing.JApplet - if (embed.getValue() && nViewers == 0) { - alwaysShowServerDialog.setParam(false); - Configuration.global().readAppletParams(this); -+ Configuration.viewer().readAppletParams(this); - fullScreen.setParam(false); - scalingFactor.setParam("100"); - String host = getCodeBase().getHost(); diff --git a/u_tigervnc-dont-send-ascii-control-characters.patch b/u_tigervnc-dont-send-ascii-control-characters.patch deleted file mode 100644 index f570e72..0000000 --- a/u_tigervnc-dont-send-ascii-control-characters.patch +++ /dev/null @@ -1,24 +0,0 @@ -Author: Michal Srb -Subject: Do not send ascii control characters for CTRL+[A-Z] combinations. -Patch-Mainline: To be upstreamed -References: bnc#864666 - -Index: vncviewer/Viewport.cxx -=================================================================== ---- vncviewer/Viewport.cxx.orig -+++ vncviewer/Viewport.cxx -@@ -1044,7 +1044,13 @@ rdr::U32 Viewport::translateKeyEvent(voi - return NoSymbol; - } - -- ucs = fl_utf8decode(keyText, NULL, NULL); -+ if (keyCode >= 'a' && keyCode <= 'z' && keyText[0] < 0x20) { -+ // Do not send ascii control characters - send the original key combination that caused them. -+ ucs = keyCode; -+ } else { -+ ucs = fl_utf8decode(keyText, NULL, NULL); -+ } -+ - return ucs2keysym(ucs); - } -